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HASH VALUE GENERATING METHOD AND 
DEVICE, DATA ENCRYPTION METHOD 
AND DEVICE, DATA DECRYF1TON 
METHOD AND DEVICE 

This is a continuation-in-part of application Ser. No. 
08/986,390, filed Dec. 8, 1997. 

BACKGROUND OF THE INVENTION 

The present invention relates to a technique for ensuring 
security of digital signature, data encryption, etc. in a 
computer network, and particularly to a method of convert- 
ing a message to a hash value which is difficult to inversely 
convert. 

A public key cipher system has been known as an encryp- 
tion system for data such as electronic mail which is sent and 
received through a network. The processing flow based on 
the public key cipher system is as follows: 

(1) A user beforehand distributes to transmitters a public 
key for encrypting an electronic mail to be sent to the user. 

(2) A transmitter who wishes to send the electronic mail 
to the user encrypts the electronic mail by using the public 
key which is distributed from the user who is the intended 
recipient of the electronic mail, and then transmits the 
encrypted electronic mail to the destination of the electronic 
mail. 

(3) The user decrypts the encrypted electronic mail by 
using the user's own secret key (having a numeric value 
different from the public key) when receiving the encrypted 
electronic mail which is encrypted by the public key dis- 
tributed by himsel ^herself. 

This public key cipher system has been applied not only 
to a data encryption technique, but also to a digital signature 
technique which is a technique for electrically verifying 
legitimacy of a contract or the like in electronic commerce 
using a network. 

However, a lot of time is needed if a digital signature for 
a long message is generated by using only the public key 
cipher in the digital signature technique. Therefore, there has 
been proposed a method of temporarily compressing a 
message to shortened data and then generating a digital 
signature for the compressed data. 

Here, for this type of data compression, it is unnecessary 
to compress the data so that an original message can be 
restored from the compressed data unlike normal data 
compression, however, it is necessary to compress the data 
so that the compressed data has a kind of encryption 
characteristic. A hash function has been proposed to imple- 
ment such compression. 

A message for an electronic commerce document or the 
like, for example, Document A: "To Taro & Co. Esq., I will 
purchase a car (catalog No. 1443) at one million and forty 
thousand yen. Mar. 10, 1996 Yoshiura" is input data to the 
hash function. There is no upper limit to the length of the 
input data. 

The hash function subjects the input data to processing 
like encryption conversion to compress the input data to data 
having a fixed short length. For example, hash value: 
283AC9081E83D5B28977 is an output of the hash function. 

This hash value is called a message digest or a finger print, 
and ideally substantially only one hash value exists for one 
input data (message) in the world. In order to guarantee that 
"substantially only one exists in the world", it is generally 
recognized that the length of the hash value must be set to 65 
at least about 128 bits. More specifically, the hash function 
must have the following characteristics. 
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(1) One-way Properly 
When an output value of a hash function is given, it must 

be computationally difficult to determine another message 
which brings the same output value as the above output 
5 value. 

For example, it is assumed that the birthday of Kazuo is 
February 22nd. In order to search for another person whose 
birthday is coincident with Kazuo's birthday, it is statisti- 
cally sufficient to investigate the birthdays of about 183 
(365/2) persons. 

The same is satisfied even when the person is replaced by 
a message and the birth day is replaced by a hash value. That 
is, if the length of the hash value is set to 160 bits, the hash 
value can have any one of 2 J6 ° possible values (i.e., the total 
number of possible hash values is equal to 2 160 ). In order to 
15 search another message having the same hash value as a 
message concerned, it is required to investigate messages of 
2 160 /2 (=2159), and this is computationally difficult. 

(2) Collision Free Property 
The message and the hash value may be any values (i.e., 

20 no limitation is imposed on the message and the hash value). 
At any rate, it must be computationally difficult to find out 
two different messages which have the same hash value. 

For example, when any two persons having the same 
birthday are required to be found out, the birthdays of about 
25 24 persons («365 1/2 ) need to be investigated in probability. 
This is also satisfied even when the person is replaced by 
the message and the birth day is replaced by the hash value. 
That is, if the length of the hash value is set to 160 bits, in 
order to find out two difFerent messages (any messages are 
30 possible) having the same hash value, it is necessary to 
investigate a set of messages of about 2 160/2 =2 8D on average. 
This number is smaller that that in the case of the one-way 
properly, but this value is still computationally difficult. 
Various methods have been proposed to implement the 
35 hash function which requires the above characteristics, and 
at present a method of repeating character-substitution and 
transposition to obtain hash values have mainly been used. 
The following paper 1 discloses the processing principle of 
the method: 

40 ISO/IEC 10118-2, "Information technology— Security 
Techniques— Hash-functions: Part 2: Hash-functions using 
an n-bit block encryption algorithm" (1994) 

The hash function as disclosed in the paper 1 will be 
described with reference to FIG. 27. 
45 The left side of FIG. 27 is a diagram showing the 
processing flow of a general hash function, and the right side 
of FIG. 27 is a diagram showing the processing flow when 
an encryption function such as DES (Data Encryption 
Standard) is used for character-substitution/transposition 
50 repeating processing 3005 shown in the left side of FIG. 27, 
As shown at the left side of FIG. 27, a message 3001 to 
be compressed is divided into a first section Pj3002, a 
second section P 2 3003, . . . , for every predetermined length, 
and these sections are successively input to the hash function 
55 3007. 

The hash function 3007 subjects the first section P,3002 
to the character-substitution/transposition repeating process- 
ing 3005 by using an initial value 3004 as a parameter, 
thereby calculating a first intermediate output. 
60 Subsequently, the hash function subjects the second sec- 
lion P 2 3003 to the characler-substilu lion/transposition 
repeating processing 3005 by using the first intermediate 
output as a parameter (in place of the initial value 3004), 
thereby calculating a second intermediate output. 

The above processing is repeated until the data of the final 
section is input, and the finally calculated intermediate 
output is used as a hash value Hash 3006. 
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Here, in the paper 1, an encryption function (block function 3007 subjects the second section P 2 3003 to the 

encryption) such DES of USA encryption standard is used simple character-substitution/transposition repeating pro- 

for the character-substitution/transposition repeating pro- cessing 3005, thereby calculating a second intermediate 

cessing 3005. Such a hash function is called a "hash function output of 128 bits. 

using block encryption", and it has been standardized in ISO 5 The above processing is repeated until the data of the final 

(International Organization for Standardization), section is input, and the finally-calculated 128-bit interme- 

The "hash function using block encryption" will be diate output is used as a hash value Hash 3006. 

described below. The feature of the "special-purpose hash function" resides 

As shown at the right side of FIG. 27, the first section in that the length of the output of the character-substitution/ 

PJ3002 is input to the encryption function 3009 with a ]0 transposition repeating processing 3005 is shorter than the 

parameter which is obtained by converting the initial value length of each section P : 3002, P 2 3003, . . . of the message. 

3004 with a conversion function 3008. Exclusive OR 3010 The above prior arts have the following problems, 

is conducted between the encryption result based on the (1) Problem of Hash function which has been hitherto 

encryption function 3009 and the first section P a 3002 bit by proposed 

bit, thereby calculating the first intermediate output based on 15 (T). Problem of "hash function using block encryption" 

the character-substitution/transposition repeating processing As described above, the "hash function using block 

3005. encryption" uses an encryption function (block encryption) 

Subsequently, the first intermediate output is fed back and such as DES. In the block encryption, the data length of each 

then converted with the conversion function 3008. of the input data and the output data is set to 64 bits. 

Thereafter, by using the first intermediate output thus con- 20 Therefore, the length of the hash value is equal to 64 bits, 

verted as a parameter, the second section P 2 3003 is input to Further, in order to guarantee that "substantially only one 

the encryption function 3009. The exclusive OR 3010 is hash value exists in the world" for one input data (message), 

conducted between the encryption result based on the it is believed that the length of the hash value must be set to 

encryption function 3009 and the second section P 2 3003 bit about 128 bits or more as described above, 

by bit, thereby calculating the second intermediate output 25 Accordingly, when a hash value of 128 bits is obtained in 

based on the character-substitution/transposition repeating the "hash function using block encryption", it is necessary to 

processing 3005. perform the block encryption processing on each input data 

The above processing is repeated until the data of the final (64 bits) to the block encryption twice while varying the 

section is input, and the finally-calculated intermediate out- initial value or the like. That is, it is necessary to calculate 

put is used as the hash value Hash 3006. 30 the output (64 bits) twice for each input data (64 bits) to the 

When DES or the like is used for the encryption function block encryption. This reduces the processing speed of 

3009 in the "hash function using block encryption" shown at generating hash values. 

the right side of FIG. 27, the length of each section of the (2). Problem of "special-purpose hash function" 
first section P a 3002, the second section P 2 3003, . . . , and the According to the "special-purpose hash function", unlike 
length of the output of the character-substitution/ 35 the "hash function using block encryption", a hash value of 
transposition repeating processing 3005 are respectively 128 bits can be obtained without performing the character- 
equal to 64 bits, and thus the length of the hash value Hash substitution/transposition repeating processing twice for 
3006 is equal to 64 bits. each data into which the message is divided. 

The feature of the "hash function using block encryption" However, in the "special-purpose hash function", each 
resides in that the length of each section PJ3002, P 2 3003, ... 40 data into which the message is divided is subjected to the 
of the message is equal to the length of the output of the simple character-substitution/transposition repeating pro- 
character-substitution/transposition repeating processing cessing to obtain hash values as described above. Here, the 
3005. length of the output value of the character-substitution/ 

A hash function which does not use any encryption transposition repeating processing (128 bits in the above 

function such as DES in the character-substitution/ 45 case) is shorter than the length of the input value (512 bits 

transposition repeating processing 3005 is proposed. Such a in the above case). That is, the compression is performed in 

hash function is called a "special-purpose hash function", the character-substitution/transposition repeating process- 

and there are known MD5 which is an internet standard, ing. 

SHA-1 and RIPEMD-16 which are being standardized in Therefore, in the case where the message is divided into 

ISO, etc. 50 plural data every 512 bits, when there are assumed two 

Of these special-purpose hash functions, MD5 is dis- messages in which the data of only the final sections thereof 

closed in the following paper 2: are different, in a process of compressing the data (512 bits) 

R. Rivest, "The MD5 Message — Digest Algorithm," of the final section to the output of 128 bits through the 

IETF RFC 1321 (1992) The processing flow of MD5 itself character-substitution/transposition repeating processing, 

is the same as shown at the left side of FIG. 27, and it will 55 the outputs (i.e., hash values) of the two messages are 

be described with reference to the left side of FIG. 27. coincident with each other with high probability. This dete- 

First, a message 3001 to be compressed is divided into a riorates the collision free property, 

first section P 2 3002, a second section P 2 3003, . . . every 512 ©. The problems of (l), (2) also occur not only in the 

bits, and these sections are successively input to the hash case where the hash function is applied to the digital 

function 3007. 60 signature, but also in other cases. For example, the same 

The hash function 3007 subjects the first section P 1 3002 problems occur in a case where the hash function is applied 

to simple character-substitution/transposition repeating pro- to a data encryption system, 

cessing 3005 by using an initial value 3004 of 128 bits as a (1) Problem of public key cipher system 

parameter, thereby calculating a first intermediate output of (l). A lot of processing time is needed when long data are 

128 bits. 65 encrypted by using the public key cipher. 

Subsequently, by using the first intermediate output as a (z). In the case where the public key cipher system is 

parameter (in place of the initial value 3004), the hash applied to the data encryption for electronic mail, etc., when 
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the same electronic mail is transmitted to plural destinations than that of the input, and if the input value is different the 

with encryption, a transmitter must carry out the encryption output value is absolutely different. Therefore a hash value 

processing on the electronic mail for every destination by having high collision free property, that is, a safe hash value 

using public keys which are distributed from the plural can be generated 

% £T£ -r s= r sass nzzz s t kx-s: 

rec.p.ent cannot encrypt an encrypted electrons mail which ,o occurrence of initial value collision) P robab,Ut y 
is transmitted to the recipient while encrypted with a public r . , , 

key which was distributed to the sender by the recipient , ' lafget ala whlch are input 10 the first sle P 

may be input to the first step again, thereby reducing the 
SUMMARY OF THE INVENTION probability that the same hash value is introduced for 

in wWrtf .k™- a >- ,u * c u « different messages (i.e., the probability of occurrence of 

In view ot the above condition, the object of the present ^ message collision) 

invention is to rapidly generate hash values, keys, and cipher A ' 

text which have a high degree of data scrambling Further According to a third aspect of the present invention, a data 

another object of the present invention is to enable decryp- enc / v P tl0n method for encrypting data having a fixed length 

tion of a personally sent encryption data by the cooperation a . 0Ut P ulnn g encryption data having a fixed length, com- 

of more than two other recipients even when the secret key 20 pnses * 

is lost because of erroneous erasing from the file etc. a first sle P for subjecting target data to character- 
ise present invention has been implemented in view of substituti °n and/or transposition processing; 
the situation, and according to a first aspect of the present a second sle P for subjecting data obtained in the first step 
invention, a hash value generating method which is used for t0 such multiplication processing that the multiplication 
digital signature or data encryption comprises: 25 result is longer than the data length of the data concerned; 
a first step for dividing target data into at least two blocks; a lmrd step for dividing the data obtained in the second 
a second step for performing character-substitution and/or step int0 at least ^ blocks ; and 
transposition processing on any one of the at least two a fourth step for performing character-substitution and/or 
blocks obtained in the first step; ^ transposition processing on each of the at least two blocks 

a third step for performing multiplication on the data obtained in the third step, 

obtained in the second step so that the multiplication result In the data encryption method of the third aspect of the 

is longer than the data length of the data concerned; present invention, during the data encryption process, the 

a fourth step for further dividing the data obtained in the multiplication is performed so that the length of the output 

third step into at least two blocks; and 35 is longer than that of the input value, and thus the scrambling 

a fifth step for performing character-substitution and/or of the data can be efficie nlly performed, 

transposition processing on each of the at least two blocks Further, according to a fourth aspect of the present 

obtained in the fourth step. invention, a data encryption method using public key cipher 

In the hash value generating method of the first aspect of for encrv P n 'ng P^in text by using a public key, comprises: 

the present invention, during the process of generating hash 40 a fi fSt ste P f° r encrypting plain text by using as a param- 

values, multiplication is such that the length of the output eter data which are obtained by converting a first public key; 

value is longer than that of the input value as described anci 

above is performed. According to the multiplication a second step for generating a data value satisfying a 

processing, each bit of the output value is affected by each relational equation between data based on at least one 

bit of the input value, so scrambling of data can be per- 45 second public key and the data obtained by converting the 

formed with high efficiency. first public key, the relational equation being capable of 

The multiplication processing, particularly the processing directly or indirectly determine the data obtained by con- 
speed thereof, is enhanced due to recent developments in the verting the first public key if the data based on the second 
field of microprocessors. Accordingly, hash values having a public key are known, wherein the data value obtained in the 
high degree of data scrambling can be generated rapidly. 50 second step is added to cipher text obtained in the first step 

Further, according to a second aspect of the hash value as encryption data to be transmitted, 

generating method of the present invention, a hash value Further, according to a fifth aspect of the present 

generating method which is used for digital signature or data invention, a data decryption method which is paired with the 

encryption comprises: data encryption method of the fourth aspect of the present 

a first step for dividing target data into at least two blocks; * invention, comprises: 

an d A third step for determining the data based on the second 

a second step for subjecting at least one of the at least two public key from a secret key which is paired with the second 

blocks obtained in the first step to an injection extension public key; 

transformation in which an output value is absolutely dif- 60 A fourth step for determining the data obtained by con- 

ferent if an input value is different (injection) and the length verting the first public key on the basis of the data value 

of the output value is longer than the length of the input added to the cipher text and the data obtained in the third 

value (extension). step; and 

According to the second aspect of the hash value gener- A fifth step for decrypting the cipher text by using the data 

ating method of the present invention, during the hash value 65 obtained in the fourth step as a parameter, 

generating process, the injection extension transformation is According to the data encryption method of the fourth 

performed so that the length of the output is set to be longer aspect of the present invention and the data decryption 
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method of the fifth aspect of the present invention which is 
paired with the data encryption method, a person having a 
secret key which is paired with the second public key can 
gain the data obtained by converting the first public from the 
data value generated in the second step alone or in coop- 
eration with another person having a secret key which is 
paired with another second public key. 

Accordingly, not only any person having a secret key 
which is paired with the first public key, but also any person 
having a secret key which is paired with the second public 
key can decrypt the data. 

This means that when the same electronic mail is trans- 
mitted to plural destinations with encryption, it is unneces- 
sary for a transmission side to encrypt the electronic mail 
while using public keys distributed from the respective 
destinations one by one. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a diagram showing the functional constitution of 
a hash value generating device according to a first embodi- 
ment of the present invention; 

FIG. 2 is a diagram showing an example of processing in 
a mixing processor 103 shown in FIG. 1; 

FIG. 3 is a flowchart showing an example of processing 
in an extension processor 104 shown in FIG. 1; 

FIG. 4 is a flowchart showing an example of processing 
in an injection extension unit 105 shown in FIG. 1; 

FIG. 5 is a flowchart showing an example of injection 
extension processing from 64-bit data to 96-bit data in step 

405 shown in FIG. 4; 

FIG. 6 is a flowchart showing an example of injection 
extension processing from 96-bit data to 128-bit data in step 

406 shown in FIG. 4; 

FIG. 7 is a flowchart showing an example of injection 
extension processing from 128-bit data to 256-bit data in 
step 407 shown in FIG. 4; 

FIG. 8 is a diagram showing the functional constitution of 
a hash value generating device which is a modification of the 
first embodiment of the present invention; 

FIG. 9 is a diagram showing an example of processing in 
mixing processor 801 shown in FIG. 8; 

FIG. 10 is a flowchart showing an example of processing 
in injection extension unit 803 shown in FIG. 8; 

FIG. 11 is a flowchart showing an example of injection 
processing from 64-bit data to 64-bit data in step 1005 
shown in FIG. 10; 

FIG. 12 is a flowchart showing an example of injection 
extension processing from 64-bit data to 80-bit data in step 
1006 shown in FIG. 10; 

FIG. 13 is a diagram showing the functional constitution 
of a data encryption device according to a second embodi- 
ment of the present invention; 

FIG. 14 is a flowchart showing an example of processing 
in 7t function processors 1306 to 1313 shown in FIG. 13; 

FIG. 15 is a diagram showing the functional constitution 
of a masking device according to a third embodiment of the 
present invention; 

FIG. 16 is a diagram showing the functional constitution 
of a data encryption device which constitutes a data 
encryption/decryption system according to a fourth embodi- 
ment of the present invention; 

FIG. 17 is a diagram showing the functional constitution 
of compression/encryption units 1612, 1615, . . . shown in 
FIG. 16; 
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FIG. 18 is a diagram showing the functional constitution 
of a data decryption device which constitutes the data 
encryption/decryption system according to the fourth 
embodiment of the present invention; 
5 FIG. 19 is a diagram showing the functional constitution 
of decryption/extention units 1810, 1812, . . . shown in FIG. 
18; 

FIG. 20 is a diagram showing the functional constitution 
of an example of a modification of the data encryption 
10 device according to a fourth embodiment of the present 
invention shown in FIG. 16; 

FIG. 21 is a diagram showing the functional constitution 
of the data encryption device constituting the data 
encryption/decryption system according to the fifth embodi- 
ment of the present invention; 

FIG. 22 is a diagram showing the functional constitution 
of a threshold value logic unit 2125 shown in FIG. 21; 

FIG. 23 is a diagram showing the functional constitution 
20 of compression/encryption units 2120, . . . shown in FIG. 21; 

FIG. 24 is a diagram showing the functional constitution 
of an example of a modification of the threshold logic of the 
data encryption device constituting the fifth embodiment of 
the present invention; 
25 FIG. 25 is a diagram showing the functional constitution 
of an example of a modification of the data encryption 
device constituting the fifth embodiment of the present 
invention; 

3Q FIG. 26 is a diagram showing the functional constitution 
of the data decryption device constituting the data 
encryption/decryption system according to the fifth embodi- 
ment of the present invention; and 
FIG. 27 is a diagram showing a conventional hash func- 

35 tion - 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

Preferred embodiments according to the present invention 
40 will be described hereunder with reference to the accompa- 
nying drawings. 

Initially, the first embodiment of the present invention will 
be described. 

FIG. 1 is a diagram showing the functional constitution of 
45 a hash value generating device according to a first embodi- 
ment of the present invention. The hash value generating 
device can be implemented through execution of a prede- 
termined program by a microprocessor in an information 
processing device having the microprocessor such as a 
50 personal computer, an IC card or the like. Further, it may be 
implemented by only one LSI. The hash value generating 
device can be applied to data encryption for digital 
signature, electronic mailing, etc. 

In FIG. 1, when a message 3001 to be compressed is input 
to the hash value generating device 101, the following 
processing is performed in a data extension unit 102. 

(D In a mixing processor 103, mixing processing between 
the input message 3001 and the initial value is performed. 
60 This mixing processing will be described later. 

(2) In an extension processing unit 104, the extension 
processing is repetitively performed on the mixed data 
obtained in the mixing processor 103 for K times every L 
blocks. The K-times repetitive extension processing every L 
$5 blocks will be described later. 

The extension data 107 of the message 3001 are generated 
on the basis of the processing of (T), (2). 


Page 32 (GNewton, 03/16/2001, EAST version: 1.01.0015) 


6,122,375 

9 10 

The extension data 107 generated in the data extension u M 1 ^D l j 1 ^D 2f M 2 ^D it l2-^D 4 ,M^D Sl l 3 D 6t M 4 D 7 ,! 4 -^D e , 

unit 102 are divided into respective 64-bit frames (a lump of m 5 -+d 9 , m 6 -»d 1q , M 7 ~*D n , . . . " 

blocks) like a first section EjlOS, a second section As a result of the replacement, a sequence of 64-bit data 

E 2 109, . . . , and these frames are successively input to the blocks of ( N+4 ) (D^IO, D 2 311, D 3 212, D 4 213, D 5 214 , . . 

injection extension unit 105. 5 . ) which are streamed in this order are output as intermediate 

The injection extension unit 105 subjects the first section extension data 215. 

E 2 108 to the injection extension processing (which will be The length of the intermediate extension data 215 is equal 

described later) by using an initial value 110 of 256 bits as to an integral multiple of Lx64 bits, 

a parameter while performing character-substitution/ Next, the processing in the extension processor 104 of the 

transposition, thereby calculating a first intermediate output 10 data extension unit 102 will be described, 

of 256 bits. The extension processor 104 performs the extension pro- 

Subsequently, by using the first intermediate output as a cessing on the intermediate extension data 215. 
parameter ( in place of the initial value 110), the injection FIG. 3 is a flowchart showing an example of the process- 
extension unit 105 subjects the second section E 2 109 to the ing in the extension processor 104. 

injection extension processing while performing character- 35 In this case, the operation of copying L blocks of the 

substitution/transposition, thereby calculating a second intermediate extension data 215 and then adding the copied 

intermediate output of 256 bits, data to the rear side of the final block of the L blocks of the 

The above processing is repeated until the frame of the intermediate extension data 215 is repetitively performed for 

final section is input, and the finally-calculated 256-bit K times every L blocks. In this embodiment, this processing 

intermediate output is used as a hash value Hash 111, 20 is referred to as "the K-time repetitive extension processing 

Next, the processing of each part of the hash value every L blocks", 
generating device 101 shown in FIG. 1 will be described in First, in step 302, the 64-bit data blocks of (N+4) (D^IO, 
more detail. D 2 311 > D 3 212, D 4 213, D 5 214, . . . ) constituting the inter- 
First, the processing in the mixing processor 103 of the mediate extension data 215 obtained in the mixing processor 
data extension unit 102 will be described. 25 103 are in P ut - 

TTie mixing processor 103 performs the processing of c Subsequently, in step 303, it is set that i-l and j=0. 

dividing each of the message 3001 and the initial value 110 Subsequently, in step 304, m is calculated from the follow- 

into plural data blocks and then mixing both the blocks. in § e q uatl0n: 

FIG. 2 is a diagram showing an example of the processing 3Q m-(i-{i (mod L K)))/K+((i-i) (mod 

in the mixing processor 103. Uqt ^ mod x represents tDe processing of taking a residual 

Here, the initial value 110 comprises four 64-bit data when a vahie ^ divic j ed by X. For example, 5 (mod 2)-l 

blocks I a 201, 1 2 202, 1 3 203, 1 4 204 which are streamed in this Nextj in step 305, an m-th data block D m of the 64-bit data 

order, blocks of (N+4) constituting the intermediate extension data 

First, in a padding processor 220, the message 3001 is 35 215 is set in an i-th frame E, of the frames constituting the 

processed so that the sum of the length of the message 3001 a b 0 ve extension data 107. 

and the length of the initial value 110 (256 bits) is set to a Subsequently, in step 306, the frame E, set in step 305 is 

integral multiple of Lx64. output. 

Here, L represents a value defined by the K-time repetitive Next, in step 307, it is judged whether the m-th data block 

extension processing every L blocks which is performed in 40 D m corresponds to the final block of the 64-bit data blocks 

the extension processor 104 as described later. "64" repre- of (N+4) which constitute the intermediate extension data 

sents the bit length of the frame (data of one section) input 215. If it is the final block, the processing goes to step 308, 

to the injection extension unit 105. and if not so, the processing goes to step 310. 

Specifically, the padding processor 220 processes the In step 308, the value of j is incremented by "1" G=j+1), 

message 3001 as described later. 45 and the processing goes to step 309. 

(I) When the sum of the length of the message 3001 and the In step 309, it is judged whether j is larger than K (j>K?). 

length (256 bits) of the initial value 110 is equal to an If j is larger than K, this processing flow is ended. If j is 

integral multiple of Lx64 bits, bits "11." and bits of below K, the processing goes to step 310. 

(Lx64-2) "0101 ..." are connected to the rear portion of In step 310, the value of i is incremented by "1" (i=i+l), 

the message 3001 in this order. 50 and then the processing goes to step 304. 

©When the sum of the length of the message 3001 and the By executing the above processing flow, the K-time 

length (256 bits) of the initial value 110 is not equal to an repetitive extension processing every L blocks as described 

integral multiple of Lx64 bits, bits "11" and bits having above is performed on the intermediate extension data 215, 

any number "0101" between zero bit and (Lx64-1) bits so that the frames Ejl08, ^109, . . . which constitute the 

are connected to the rear portion of the message 3001 in 55 extension data 107 shown in FIG. 1 are successively output, 

this order. With this arrangement, the overall length of the The extension data 107 is K times as large as the interme- 

message 3001 can be set to an integral multiple of Lx64. diate enlarged data 215. 

Subsequently, in the padding processor 220, the message Next, the processing in the injection extension unit 105 

3001 which is processed so that the overall length thereof is will be described. 

equal to an integral multiple of Lx64 is converted to data 60 The injection extension unit 105 of this embodiment is the 
216 comprising 64-bit data blocks of N (Mj205, M 2 206, same as the conventional"hash function using block encryp- 
M 3 207, M 4 208, M 5 209, . . . ) which are streamed in this tion" and "special-purpose hash function" in the point that 
order. the injection extension unit 105 performs the character- 
Thereafter, in a processor 217, the 64-bit data blocks of N substitution/transposition processing on the extension data 
and the four 64-bit data blocks constituting the initial value 65 107 input thereto. 

110 are mixed with each other. Specifically, as shown in However, the injection extension unit 105 of this embodi- 

FIG. 2, the following replacement is performed: ment is different from the conventional hash function in the 
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poinl thai Ihe injection extension unit transforms the input 
frames so that for the respective frames constituting the 
extension data 107, if the input value to the injection 
extension unit 105 is different, the output value is also 
different (injection), and the length of the output value is 5 
longer than the input value (extension). In this embodiment, 
this processing is referred to as "injection extension pro- 
cessing". 

FIG. 4 is a flowchart showing an example of the process- 
ing in the injection extension unit 105. to 

First, in step 402, the initial value 110 of 256 bits is input, 
and it is set to H. 

Subsequently, in step 403, q is set to 1. 

Subsequently, in step 404, a q-th frame E q of the extension 
data 107 shown in FIG. 1 is input. 15 

Subsequently, in step 405, the injection extension pro- 
cessing is performed on the frame E q by using H parameter 
so that the length of the frame E^ is extended from 64 bits 
to 96 bits. 

Subsequently, in step 406, the injection extension pro- 20 
cessing is performed on the data obtained in step 405 by 
using H as a parameter so that the length of the data is •■ 
extended from 96 bits to 128 bits. 

Thereafter, in step 407, the injection extension processing 
is performed on the data obtained in the step 406 so that the 25 
length of the data is extended from 128 bits to 256 bits. The 
data of 256 bits thus obtained is set to H. 

Subsequently, in step 408, it is judged whether the q-th 
frame E q corresponds to the final frame of the frames 
E 2 , . . . constituting the extension data 107 . If it is the final 30 
frame, the processing goes to step 410. If not, the processing 
goes to step 409. 

In step 409, the value of q is incremented by "1" (q=q+l), 
and then the processing returns to step 404. 

In step 410, the data H of 256 bits which is set in the step 35 
407 is for the final frame of the frames constituting the 
extension data 107, so that H is output as the hash value 
Hash 111. 

Next, the injection extension processing in the steps 405 
to 407 shown in FIG. 4 will be described. 40 

First, the injection extension processing (injection exten- 
sion from 64 bits to 96 bits) in the step 405 shown in FIG. 
4 will be described. 

FIG. 5 is a flowchart showing an example of the injection 
extension processing from 64-bit data to 96 -bit data in the 45 
step 405 shown in FIG. 4. 

First, in step 502, the 64-bit frame input in the step 404 
shown in FIG. 4 is divided into upper 32-bit data Xj and 
lower 32-bit data Y a . When the data H of 256 bits (the value 
set in the step 402 when the frame input in step 404 is the 50 
first frame E 2 or the value set in step 407 which is executed 
immediately before when the frame input in step 404 is a 
second or subsequent frame E 2 . . . in FIG. 4) is divided from 
the head thereof every 32 bits to obtain eight 32-bit data H 3 , 
H-*, . . . , H ft . 55 


60 


uosequently, in step 503, the processing shown by the 
following equation is performed to generate X 2 and Y 2 : 

W 

As a result, X 2 becomes 64-bit data, and Y 2 becomes 
32-bit data. In step 503 of FIG. 5, a heavy -line 'airow— ' 
' T1 =F5p¥§BtM!ts How 'of 64-bit data, and a fine line arrow repre- 
sents flow of 32-bit data. 65 

Subsequently, in step 504, X 2 , Y 2 are output, and then this 
flow is ended. 


Through the above processing flow, the frame E^ com- 
prising the 32-bit data X 2 and the 32-bit data Y 1 can be 
extended to the data of 96 bits in total which comprise 64-bit 
data X 2 and the 32-bit data Y 2 . In addition, the relationship 
that governs that X 2 , Y 2 , X : and Y : are uniquely determined 
from X a =X 2 -(Y 2 +Hj) 2 and Y 2 =Y 2 can be established, that 
is, the injection relationship can be established. 

Accordingly, the injection extension from 64-bit data to 
96-bit data can be performed by the above processing flow. 

However, the processing in the step 405 shown in FIG. 4 
is not limited to that of FIG. 5, and any processing may be 
used insofar as it performs the injection extension process- 
ing from 64-bit data to 96-bit data. 

Next, the injection extension processing (injection exten- 
sion from 96 bits to 128 bits) in step 406 shown in FIG. 4 
will be described. 

FIG. 6 is a flowchart showing an example of the injection 
extension processing from 96-bit data to 128-bit data in step 

406 shown in FIG^^. — ■ ■ — *~ " 

First t .ifl-step'602, the 64-bit data X 2 and the 32-bit data Y 2 
nch are generated injke_flQw of FIG. 5 are input, and 

■further H^t^K ^s^s^ H zZ^gg^g ^ 2 ^^ dat ajy 
H 2 , H 3 , . . . , H 8 which are generated by dividing 256-bit data 
H in step 502 of FIG. 5 are input. 

Subsequently, in step 603, the 64-bit data X 2 are divided 
into upper 32-bit data X H and lower 32-bit data X L . 

Thereafter, in step 604, X 3 , Y 3 are generated by succes- 
sively performing the processing as indicated by the follow- 
ing equations: 

A=X L eoxl! 2 
B=X„+H. i +l 
C=AB 

C'»(CeorK2)+(// 4 ||//s)+l 

E=rot x2 {C H )+H?+\ 
F=(D\\E) 
G~X 2 +F+1 

1>G 

Here, "eor" represents Exclusive Or of every bit. For 
example, 110010 eor 011001=101011. Further, "+" repre- 
sents addition. When up-shift occurs in the calculation of the 
most significant bit, the up-shift portion is neglected. For 
example, 101101+100100=010001. 

"||" represents coupling of data. For example, 
111111||000000=U111000000. "rot^U)" represents data 
obtained by cyclically shifting numerical value data U to the 
upper side by T bits. For example, rot 2 (110000)=000011. 
Here, the left side of the numeral value data corresponds to 
the upper side. 

The processing indicated by the above equations is suc- 
cessively performed, whereby X ^anoLYi are generated as 
64-bil data, respectively. In step 604 of FIG. 6, the heavy 
line arrow represents the flow of the 64-bit data, and the fine 
line arrow represents the flow of the 32-bit data. 

Subsequently, in step 605, X 3 , Y 3 are output, and then this 
flow is ended. 

Through the above flow, the data of 96 bits in total which 
comprise the 64-bit data X 2 and the 32-bit data Y 2 can be 
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extended to the data of 128 bits in total which comprise the special-purpose hash function", the hash value a having 
64-bit data X 3 and the 64-bit data Y 3 , and the injection higher degree of data scrambling can be quickly generated, 
relationship can be established wherein when X 3 , Y 3 are That is, in the multiplication of the 32-bit data (32 bitsx32 
given, X 2 and Y 2 are uniquely determined. bits-*64 bits), each bit of the output 64-bit data is affected 
The processing in the step 406 shown in FIG. 4 is not 5 by all the input bits. Therefore, the degree of scrambling of 
limited to that of FIG. 6, and any processing may be used the data is high and thus the character-substitution process- 
insofar as it can perform the injection extension processing ing can be performed efficiently. 

from 96-bit data to 128-bit data. In the case of the 100 MHz Pentium processor produced 

Next, the injection extension processing (the injection by Intel Corporation, which has currently become widely 

extension from 128 bits to 256 bits) in step 407 shown in to used as a microprocessor for personal computers, the prod- 

FIG. 4 will be described. uct calculation (multiplication) can be carried out at about 

FIG. 7 is a flowchart showing an example of the injection ten million times a second. This means that the processing 

extension processing from 128-bit data to 256-bit data in speed is increased to about 20 times of the 20 MHz 68020 

step 407 shown in FIG. 4. processor produced by Motorola Incorporation, which was 

First, in step 702, the 64-bit data X 3 , Y 3 which are 15 made public in the middle of the 1980s and could perform 

generated in the flow shown in FIG. 6 areliipuL Fuilllervthe the product calculation at about 0.5 million times a second. 

*eignT32-6it data H a , H 2 , H 3 , H 4J H 5 , H 6 , H 7 , H 8 which are In addition, the former processor is more effective to 

generated by dividing the 25 6-birdataH in step 502 of FIG. perform the cyclic shift calculation of 32-bit data since 

5 are input. ' character-substitution processing is performed efficiently. 

Subsequently, in step 703, the 64-bit data X 3 are divided 20 In the operation processing based on the microprocessor, 

into upper 32-bit data X^ and lower 32-bit data X^. the cyclic shift calculation, that is, the transposition pro- 

Thereafter, in step 704, the 64-bit data Y 3 is divided into cessing of 32-bit data, can be implemented by only one 
upper 32-bit data Y^ and lower 32-bit data Y^. processing step. However, according to a recent 
Subsequently, in step 705, by performing the processing microprocessor, for example, a Pentium processor produced 
indicated by the following equations, K ls K2, K 3 , . . . , K 8 25 by Intel Corporation, the cyclic shift is completed in one 
are generated while repeating the character-substitution/ cycle. According to the 100 MHz Pentium processor pro- 
transposition, duced by Intel Corporation, the cyclic shift calculation 

processing can be carried out at about one hundred million 

^il^jK^ B l! w 6) + ( w //IK) + ((^/y cor ^)IIC^i. eor} l)) times per second. This means that the processing speed is 

sr nr m iiw \ m f/HiiH wv riv vi 30 increased to about forty times of the 20 MHz 68020 pro- 

cessor produced by Motorola Incorporation which was made 

^I^H^I^+t^l^HC^eo^llC^oryj) p U bii c i n tne middle of the 1980s and could perform the 

„ Htx ,--yrrrrr' ^7Zri^77C*TiTT\r— ^--^ cyclic shift at about 2.5 million times a second. 

^^^r-^ As described above, according to the first embodiment, 

As a result, each of the data K 1( K 2 , K 3 , K 4 , K 5 , K 6 , K 7 , aSswhen the character-substitution/transposition processing is 
Kgjxcomejij^ 705 of FIG. 7, the fine lin^____^performed, the hash value having a higher degree of data 

arrow represents the flow of the '32-biPdata. scrambling can be rapidly generated by using the basic 

Subsequently, in step 706, K lt K 2 , K 3 , K 4 , K 5 , IQ, K 7 , K 8 operation of the microprocessor which is particularly effec- 
are successively coupled to one another in this order to tive owing to recent technical innovations, 
generate H (K 2 ||K 2 ||K 3 |iK 4 | |K 5 1 |K 6 K 7 ||K 8 ->H), whereby H 40 In the conventional "hash function using block encryp- 
becomes data of (32 bits X 8=256 bits). tion" and "the special-purpose hash function", the character- 
In step 708, H generated in step 706 is output, and then substitution processing is usually realized by adding 32-bit 
this flow is ended. data to each other. The addition processing of the 32-bit data 

Through the above flow, the data of 128 bits in total which can be carried out at about one hundred million times for one 
comprise the 64-bit data X 3 and the 64-bit data Y 3 can be 45 second in the case of the 100 MHz Pentium processor 
extended to the data H of 256 bits, and the injection produced by Intel Corporation. This means that the process- 
relationship that when given H, X 3 and Y 3 are uniquely ing speed is increased to about ten times that of the 20 MHz 
determined. 68020 processor produced by Motorola Incorporation which 

Through the above flow, the injection extension from was made public in the middle of the 1980s and could carry 

128-bit data to 256-bit data can be performed. 50 out the addition processing at about ten million times for one 

The processing in step 407 shown in FIG. 4 is not limited second, 

to that of FIG. 7, and any processing may be used insofar as The multiplication processing (32 bit data x32 bit data) 

it can perform the injection extension processing from has the same data scrambling effect as obtained when the 

128-bit data to 256-bit data. addition processing is performed 32 times and the cyclic 

In the above-described first embodiment, during the pro- 55 shift processing is performed 32 times. In consideration of 

cess of generating the hash value by using the input frame this fact, it is more effective to use the multiplication 

E q and the initial value 110 or H which is an output of the processing than the addition processing at the present time, 

injection extension unit 105, the multiplication processing when the Pentium processors made by Intel Corporation are 

for respective 32-bit data (the processing X 2 =X 1 +(Y J +H 1 ) 2 mainly used. 

in step 503 of FIG. 5 and the processing C=A B in step 604 60 According to the first embodiment of the present 

of FIG. 6) is performed in the character-substitution/ invention, during the process of generating the hash value 

transposition processing. In addition, the cyclic shift calcu- with the input frame E q and the initial value 110 or H output 

lation on the 32-bit data is also carried out (the processing from the injection extension unit 105, the injection extension 

D=rot 5 (C^) eor H 6 , E=rot 12 (C // )+H 7 +l in step 604 of FIG. unit 105 for performing the character-substitution/ 

6). 65 transposition processing performs the transformation pro- 

With the above operation, compared with the conven- cessing on the input frame so that with respect to the 

tional "hash function using block encryption" and "the respective frames which are input to the injection extension 
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unil 105 and constitute the extension data 107, if the input 
value is different, the output value is totally different 
(injection), and also so that the length of the output value is 
longer than that of the input value (extension), thereby 
generating a hash value having high collision free property, 5 
that is, a safety hash value. 

That is, in the conventional hash function, when the 
length of the section (frame) of a message input to the 
character-substitution/transposition repeating processing is 
compared with the length of the intermediate output to be 10 
output, the length of the intermediate output is equal to the 
length of the frame to be input (the hash function using block 
encryption) or shorter than the length of the frame to be 
input (the special-purpose hash function). 

On the other hand, according to the first embodiment of 15 
the present invention, using the above -described injection 
extension processing, the length of the intermediate output 
(256 bits) is set to be longer than the length of the input 
frame (64 bits). Accordingly, the message collision problem 
in the character-substitution/transposition processing which 20 
occurs in MD5 can be relatively readily avoided. 

Further, according to the first embodiment of the present 
invention, as shown in FIG. 1, the initial value 110 may be 
used not only as the first parameter to be input to the 
injection extension unit 105, but also to generate the exten- 25 
sion data 107 by extending the message 3001 as pre- 
processing before the message 3001 is input to the injection 
extension unit 105. 

With the above operation, compared with the conven- 
tional hash function, as shown in FIG. 27, in which the initial 30 
value 3004 is used as only the first parameter to be input to 
the character-substitution/transposition repeating processing 
3005, this embodiment can further reduce the probability of 
the initial collision inducing the same hash value for differ- 
ent initial values. 35 

Further, according to the first embodiment, as shown in 
FIG. 1, as the pre-processing before the message 3001 is 
input to the injection extension unit 105, processing is 
carried out to divide the message into plural blocks and then 
copying some or all of the plural blocks thus generated to 40 
mix the copied blocks with the original plural blocks (which 
is referred to as "K-time repetitive expansion processing 
every L blocks" in this embodiment). 

With the above operation, compared with the conven- 
tional hash function, as shown in FIG. 27, in which the 45 
message 3001 concerned is divided to merely generate the 
plural sections PI, P2, . . . as the pre-processing before the 
message 3001 is input to the character-substitution/ 
transposition repeating processing 3005, this embodiment 
can further reduce the message collision probability of the 50 
same hash value being derived for different messages. 

In the first embodiment described above, the processing 
as indicated by X 2 =X 1 +(Y 1 +H 3 ) 2 in step 503 of FIG. 5 and 
the processing as~mdicatecTby"C^A B in step 604 of FIG. 6 
are performed as the 32-bit data multiplication processing in 55 
the injection extension unit 256 for performing the 
character-substitution/transposition. However, it is needless 
to say that the multiplication processing used in the present 
invention is not limited to the above equations. 

Likewise, the cyclic shift calculation processing of the 60 
present invention is not limited to the processing as indi- 
cated by D=rot 5 (C L ) eor H 6 , E-rot^(C // )+H 7 +l in step 604 
of FIG. 6. 

Further, in the above embodiment, the frame El, E2, . . . 
of the extension data 107 to be input to the injection 65 
extension 105 is set to 64 bits, and the intermediate exten- 
sion data output from the injection extension unit 105 is set 
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to 256 bits (accordingly, the hash value is set to 256 bits). 
However, the present invention is not limited to this manner. 

A modification of the first embodiment of the present 
invention in which the frame to be input to the injection 
extension unit 105 is set to 64 bits and the intermediate 
output from the injection extension unit is set to 80 bits 
(accordingly, the hash value is set to 80 bits) will be 
described hereunder. 

FIG. 8 is a diagram showing the functional constitution of 
a hash value generating device according to a modification 
of the first embodiment of the present invention. Here, the 
elements having the same function as the hash value gen- 
erating device 101 shown in FIG. 1 are represented by the 
same reference numerals. 

The point of difference between the hash value generating 
device 101a shown in FIG. 8 and the hash value generating 
device 101 shown in FIG. 1 resides in that an initial value 
802 of 80 bits is used in place of the initial value 110 of 256 
bits, a mixing processor 801 is used in place of the mixing 
processor 103 and an injection extension unit 803 is used in 
place of the injection extension unit 105. The other con- 
struction is the same as shown in FIG. 1. 

The hash value generating device 101a shown in FIG. 8 
generates a hash value Hash 804 of 80 bits. 

The mixing processor 801 is the same as the mixing 
processor 103 shown in FIG. 1 in that each of the message 
2501 and the initial value 802 is divided into plural data 
blocks and both the blocks are mixed with each other, 
however, the specific processing of the mixing processor 
801 is different from that of the mixing processor 103 
because the mixing processor 801 uses the initial value 802 
of 80 bits. 

FIG. 9 is a diagram showing an example of the processing 
in the mixing processor 801. 

Here, the initial value 802 comprises a data block I 5 901 
of 64 bits and a data block 1 2 902 of 16 bits which are 
arranged in this order. 

First, in the padding processor 220, the message 2501 is 
processed so that the sum of the length of the message 2501 
and the length of the initial value 802 (80 bits) is set to an 
integral multiple of Lx64. This processing is the same as the 
padding processing 220 in the mixing processor 103 shown 
in FIG. 2. 

The message 2501 which is processed in the padding 
processor 220 so that the overall length thereof is set to an 
integral multiple of Lx64 is converted to data 216 compris- 
ing 64-bit dala blocks of N, M^OS, M 2 206, M 3 207, M 4 208, 
M 5 209, . . . which are arranged in this order. 

Thereafter, in the processor 903, the 64-bit data blocks of 
N and the 64-bit data block 1^901 and the 16-bit data block 
I 2 902 which constitute the initial value 802 are mixed with 
each other. Specifically, as shown in FIG. 9, the following 
data replacement is performed "M^D^ l^D^, M 2 ->D 3 , 
l 2 ||I 2 ||I 2 I 2 ^D 4 , M 3 ->D 5 , M 4 -»D 6 , M 5 -D 7 r M 6 ->D 8 , 
M 7 ^D 9 , 

As a result of the replacement, a sequence of 64-bit data 
blocks N+2, D.210, D 2 311,D 3 212, D 4 213, D 5 214, . . . which 
are arranged in this order are output as the intermediate 
extension data 215. The length of the intermediate extension 
data 215 is set to an integral multiple of Lx64 bits. 

The injection extension unit 803 is the same as the 
injection extension unil 105 shown in FIG. 1 in that the 
injection extension is performed while performing the 
character-substitution/transposition processing on the exten- 
sion data 107 to be input to the injection extension unit 803. 
However, since the output (intermediate output) from the 
injection extension unit 803 is set to 80-bit data, the specific 
processing is different. 
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FIG. 10 is a flowchart showing an example of the pro- 
cessing in the injection extension unit 803. 

First, in step 1002, the initial value 802 of 80 bits is input, 
and then this value is set to H. 

Subsequently, in step 1003, q is set to 1. Thereafter, in step 
1004,a q-th frame E^ of the extension data 107 of FIG. 8 is 
input. 

Subsequently, in step 1005, the injection processing is 
carried out on the frame E^ by using H as a parameter. 

Subsequently, in step 1006, the injection extension pro- 
cessing is carried out on the data obtained in step 1005 by 
using H as a parameter so that the length of the data is 
extended from 64 bits to 80 bits. The 80-bit data thus 
obtained is set to H. 

Subsequently, in step 1007, it is judged whether the q-th 
frame £ q corresponds to the final frame of the frames E 3 , E^ 
. . . which constitute the extension data 107. When it is the 
final frame, the process goes to step 1009, and if not so, the 
processing goes to step 1008. 

In step 1008, the value of q is incremented by "1" 
(q=q+l), and then the processing returns to step 1004. 

In step 1009, the 80-bit data H set in step 1006 is for the 
final frame of the frames constituting the extension data 107, 
so that H is output as the hash value Hash 804. 

Subsequently, the extension processing in step 1005 of 
FIG. 10 and the injection extension processing in step 1006 
will be described. 

First, the injection processing (injection from 64 bits to 64 
bits) in step 1005 of FIG. 10 will be described. 

FIG. 11 is a flowchart showing an example of the injection 
processing from 64-bit data to 64-bit data in step 1005 
shown in FIG. 10. 

First, in step 1102, the 64-bit frame E q in put in step 1004 
of FIG. 10 is divided into upper 32-bit data X 3 and lower 
32-bit data Y,. 

Further, the data H of 80 bits (the value set in step 1002 
when the frame input in step 1004 is the first frame E 1( or 
the value set in step 1006 which is executed just before when 
the input frame is the second or subsequent frame E 2 , . . . ) 
are divided into 32-bit data H 3 , 32-bit data H 2 and 16-bit 
data H 3 from the head thereof. 
^ Subsequently, in step 1103, X 9 and Y ? are generated by 
performing the processing represented by the following 
equations: 

A' 2 =A' 1 +(y 1 +// 1 ) 2 (mod2 32 ) 
Y^Y, 

As a result, each of X 2 , Y 2 becomes 32-bit data. In step 
1103 of FIG. 11, the fine line arrow represents the flow of 
32-bit data. 

Thereafter, in step 1104, X 2 and Y 2 are output, and then 
the flow is ended. 

As a result of the above flow, the frame E^ comprising the 
32-bit data X 1 and the 32-bit data Y 3 can be converted to the 
data of 64 bits in total which comprise the 32-bit data X 2 and 
the 32-bit data Y 2 . Further, the injection relationship that 
given X 2 , and Y 2 , X 3 and Y 3 are uniquely determined from 
X 1 =X 2 -(Y 2 +H 1 ) 2 (mod 48 ) and Y 3 =Y 2 can be established. 

Accordingly, the injection processing from 64-bit data to 
64-bit data can be performed by the above flow. 

However, the processing of step 1005 of FIG. 10 is not 
limited to that of FIG. 11, and any processing may be used 
insofar as it performs the injection processing from 64-bit 
data to 64-bit data. 

Next, the injection extension processing (injection exten- 
sion from 64 bits to 80 bits) in step 1006 of FIG. 10 will be 
described. 
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FIG. 12 is a flowchart showing an example of the injec- 
tion extension processing from 64-bit data to 80-bit data in 
step 1006 of FIG. 10. 

First, in step 1202, the 32-bit data X 2 , Y 2 generated in the 
5 flow of FIG. 11 are input. Further, the 32-bit data H 3 , H 2 and 
the 16-bit data H 3 which are generated by dividing the 80-bit 
data H in step 1102 of FIG. 11 are input. 

Subsequently, in step 1203, X 3 , Y 3 are generated by 
successively performing the processing represented by the 
10 following equations: 

A-to1 5 (X 2 +H 2 +1) 
5^4+A r 2 cor(// 3 |lW 3 )+l 
C-rot n (B +H l ) 
D=C+(li or // 2 )+l 
E=D 2 +Y 2 {mo<tt**) 
F^r 2 +H 3 +E(mod2 32 ) 
20 ;r 3 =£+F+(// 1 ||// 2 )(rnod2 48 ) 
»F 

Here, "or" represents logical OR every bit. 

By successively performing the processing represented by 
25 the above equations, X 3 becomes 48-bit data and Y 3 
becomes 32-bit data. In step 1203 of FIG. 12, the heavy line 
arrow represents the flow of 48-bit data, and the fine line 
arrow represents the flow of 32 -bit data or 16 bit data. 
Subsequently, in step 1204, X 3 , Y 3 are output, and then 
30 the flow is ended. 

As a result of the above flow, the data of 64 bits which 
comprise 32-bit data X 2 and 32-bit data Y 2 can be extended 
to the data of 80 bits in total which comprise 48-bit data X 3 
and 32-bit data Y 3 . In addition, the injection relationship 
35 which, X 2 and Y 2 are uniquely determined when given X 3 
and Y 3 can be established. 

Accordingly, the injection extension from 64-bit data to 
80-bit data can be performed by the above flow. 

However, the processing in step 1006 of FIG. 10 is not 
40 limited to that of FIG. 12, and any processing may be used 
insofar as it can perform the injection extended processing 
from 64-bit data to 80-bit data. 

The first embodiment of the present invention has been, 
described above. 
45 Next, a second embodiment according to the present 
invention will be described. 

FIG. 13 is a diagram showing the functional constitution 
of the data encryption device according to a second embodi- 
ment of the present invention. As in the case of the hash 
50 value generating device of the first embodiment, a prede- 
termined program is executed by a microprocessor in an 
information processing device having a microprocessor such 
as a personal computer, an IC card or the like, whereby the 
data encryption device can be implemented. Further, it may 
55 be implemented by only one LSI. 

In FIG. 13, when a data key 1302 having any length is 
input to the data encryption device 1311, a system key 1303 
of 256 bits is given as an initial value in the hash value 
generating device 1301, and a hash value of 256 bits for the 
60 data key 1302 is generated. This hash value is set as a work 
key 1304. 

The work key 1304 is divided into eight 32 -bit data W a , 
W 2 , . . . , W 8 . 

Here, the hash value generating device 1301 may be that 
65 used in the first embodiment, or the conventional "hash 
function using block encryption" or "special-purpose block 
function". 
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Further, when plain text 1305 of 128 bits which is an data of 128 bits in total comprising 64-bit data X 2 , Y 2 by 

encryption target is input to the data encryption device 1311, performing the character-substitution/transposition, 

the plain text 1305 is divided into two items of 64-bit data, Further, the conversion processing from XJjYj to X 2 ||Y 2 

and input to a ^-function processing unit 1306. may be set to bisection. That is, there exists a k' 1 -function 

The data input to the x- function processing unit 1306 are 5 which can perform inverse conversion from the output 

converted to two 64-bit data (as described later) by using X 2 ||Y 2 to the input X J ||Y 1 . 

eight 32-bit data W i , W 2 , . . . , W 8 as a key and then input Specifically, X A , Y 1 can be calculated from X 2 , Y 2 by 

to the 7i- function processor 1307. Thereafter, in the same successively carrying out the processing indicated by the 

manner as the processing in the ^-function processor 1306, following equations: 

the input data are converted to two 64-bit data. 10 

Thereafter, the above processing is successively per- GmY i 

formed in the Ji-function processors 1308 to 1313, thereby c=x 2 -g-(w 7 \\w^ 

outputting two 64-bit data from the 7t-function processor 2 

1313. These two 64- bit data are coupled, and encrypted text C' H \\C' L =C 

1310 of 128 bits is generated. is 

Next, the processing in the rc-function processors 1306 to =rotst L * eor 5 

1313 shown in FIG. 13 will be described. E^ot 12 (' H )+w 6 +'i 

The jt-function processors 1306 to 1313 perform the 

character-substitution/transposition processing on the two f-d\\e 

input 64-bit data by using the work key 1304 as a parameter. 20 x G _ F _i 
However, unlike the encryption function such as DES which 

has been hitherto used for the conventional character- ^ H |^^ 2 
substitution/transposition processing, the Jt-function proces- 
sors 1306 to 1313 of this embodiment contain the processing 

for multiplying the two 32-bit data and the result of the 25 B=x H +w 2 +l 
32-bit cyclic shift calculation. 

FIG. 14 shows an example of the processing in the C-AB 

^-function processors 1306 to 1313. Y^tc-iw \\w 4 )-i) cor c 

First, in step 1402, two 64-bit data X 2 , Y 2 (the data ^ 3 

obtained by dividing 128 bits of a plain text in the jt-function 30 Since X 1 and Y 3 can be calculated by successively 

processor 1306, and the data output from the immediately carrying out the processing indicated by the above 

preceding ^-function processor in the Jt- function processors equations, the cipher text 1310 which is generated by the 

1307 to 1313) are input. Further, the eight 32-bit data W., to data encryption device 1311 can be decrypted to the original 

W 8 constituting the work key 1304 are input. plain text 1305 by the inverse conversion using Jt" 1 - 

Subsequently, in step 1403, the 64-bit data X 2 input in 35 function, 

step 1402 is divided into upper 32-bit data X^ and lower The processing in the Jt-function processors 1306 to 1313 

32-bit data X L . shown in FIG. 13 is not limited to that shown in FIG. 14, and 

Subsequently, in step 1404 , X 2 , Y 2 are generated by any processing may be used insofar as it contains the 

successively performing the processing indicated by the multiplication processing between two 32-bit data and the 

following equations: 40 cyclic shift calculation of 32-bit data when the 

character=substitution/transposition of the bijection is car- 
A-X^oiWi ried QUt 

B=X H +w 2 +i According to the second embodiment of the present 

invention, during the process of encrypting the plain text 
C=a b 45 1305 using th e work key 1304 , the multiplication processing 

for the two 32-bit data (processing OA-B in step 1404 of 
FIG. 14) in the Jt-function processors 1306 to 1313 is carried 
C'JIC'^C' out for performing the character-substitution/transposition 

processing. In addition, the cyclic shift calculation on 32-bit 
=rot ^ L ' eor 5 50 data is also performed (the processing D=rot 5 (C L ) eor W 5 , 

£=rot 12 (C'„) + w 6+ i E=rot J2 (C // )+W ti +l in step 1404 of FIG. 14.) 

With the above question, an cipher text having a high 
F=D V£ degree of data scrambling can be more quickly generated 

G=x 1 +F+i tnan when an encryption function such as DES or the like is 

55 used for the character-substitution/transposition processing 
x 2 =c+G+m\wj as described above. 

y 2=G In the second embodiment, as shown in FIG. 13, the 

processing in the ^-function processor is carried out at eight 

By successively performing the processing indicated by times (n=8). However, the present invention is not limited to 
the above equations, each of X 2 and Y 2 becomes 64-bit data. 60 this manner, For example, the value of n may be given from 
In step 1404 of FIG. 14, the heavy line arrow represents the the external, whereby n can be varied to any positive integer, 
flow of the 64-bit data, and the fine line arrow represents the The second embodiment of the present invention has been 

flow of 32-bit data. described above. 

Next, in step 1405, X 2 and Y 2 are output, and then this Next, a third embodiment according to the present inven- 
flow is ended. 65 tion will be described. 

As a result of the above flow, the data of 128 bits in total FIG. 15 is a diagram showing the functional constitution 
which comprise 64-bit data X lT Y 1 can be converted to the of a masking device according to a third embodiment of the 
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present invention. Here, the masking device is defined as a common key 1502 is extended. Further, the masking data 

device for generating data to mask (cover and hide) data. 1520 can be also regarded as data for which the extended 

The data generated by the masking device may be used as a data 1503 are encrypted by the common key 1502. That is, 

key for encrypting data. by performing the processing which is inverse to the pro- 

The masking device of this embodiment can be imple- 5 cessingof FIG. 15, the extension data 1503 can be encrypted 

mented by making a microprocessor execute a predeter- from tne common key 1502 and the masking data 1520. 

mined program in an information processing device having ln the third embodiment of the present invention, the 

a microprocessor such as a personal computer, an IC card or [ength of the common key 150 2 is set to 128 bits. However, 

the like as in the case of the hash value generating device of the sem invenlioo is not limited l0 th i s embodiment, 

the first embodiment. Further, it may be implemented by J(J Further) the processing in the ^.function processor is carried 

°i ™^ ie' u i iem r 1 -.0 u-. a out twice on each of the sections 1504, 1505, ... of the 

In FIG. 15, when a common key 1502 ot 128 bits and . t , . . . 

extension data 1503 comprising 128-bit common keys of N f xtens j on d » ta 1503 however, the present invention is not 

which are linked to one another are input to the masking hm i| ed <° < his embodiment 

device 1501, a hash value of 128 bits for data which are The third embodiment of the present invention has been 

obtained by linking a random number 1521 generated in a 15 described above. 

random number generating device 1508 and the input com- Next > a fourth embodiment according to the present 

mon key 1502 is generated in a hash value generating device invention will be described. 

1509. This hash value is set as a work key 1524 for This embodiment relates to a data encryption/decryption 

encrypting a first section 1504 which is a first 128-bit data system for electronic mails, etc., and contains a data encryp- 

of the extension data 1503. Further, the random number 20 tion device and a data decrypting device. Like the hash value 

1521 generated in the random number generating device generating device of the first embodiment, the data encryp- 

1503 is set as a first data of the masking data 1520. tion device and the data decryption device which will be 

Here, as the hash value generating device 1302 may be described below can be implemented by making a micro- 
used that of the first embodiment, or the conventional "hash processor execute a predetermined program in an informa- 
function using block encryption" or "special-purpose block 25 tion processing device having a microprocessor such as a 
function". personal computer, an IC card or the like, and it may be also 

In a ji-function processor 1513, the first section 1504 of implemented by only one LSI. 

the extension data 1503 is subjected to the character- First, the data encryption device will be described, 

substitution/transposition using a part of the work key 1524 FIG. 16 is a diagram showing the functional constitution 

as a parameter to be converted to 128-bit data. Thereafter, in 30 of the data encryption device which constitutes the data 

the ^-function processor 1514, the 128-bit data generated in encryption/decryption system according to the fourth 

the k- function processor 1513 is subjected to the character- embodiment of the present invention, 

substitution/transposition using a part of the work key 1524 A base point P 1602 serving as a parameter in an elliptical 

as a parameter to be converted to 128-bit data. This data is curve cipher, a public key Q 1603 and a plain text 1604 are 

set a second data g 3 1522 of the masking data 1520. Further, 35 input to the data encrypting device 1601 shown in FIG. 16. 

the 128-bit data generated in the ^-function processor 1513 Here, the elliptical curve cipher is a public key encryption 

is set as a work key 1525 for encrypting a second section which is executed by defining an addition calculation (x_,, 

1505 which is a second 128-bit data of the extension data yi)+(x 2 , y 2 ) or an integer- multiple calculation ^x^yj, etc. 

1503. of two points (x^y^), (x 2 ,y 2 ) on an elliptical curved line 

Further, in a jt-function processor 1518, the second sec- 40 which is represented by the following equation: 
tion 1505 of the extension data 1503 is subjected to the 
character-substitution/transposition using a part of the work 

key 1525 as a parameter to be converted to 128-bit data. The base point P 1602 and the public key Q 1603 are 

Thereafter, in a jt-function processor 1519, the 128-bit data points on the elliptical curved line, and it satisfies the 

generated in the Jt-function processor 1518 is subjected to 45 following relationship with a secret key d 1802 as described 

the character-substitution/transposition using a part of the i ater: 
work key 1525 as a parameter to be converted to 128-bit 

data. This data is set as a third data g 2 1523 of the masking Q" dp 

data 1520. Further, the 128-bit data generated in the The base point P input to the data encrvp tion device 1601 

jt-function processor 1518 is set as a work key 1526 for 50 is inpul t0 the i nteger .multiple calculator 1608 together with 

encrypting a third section (not shown) which is a third a random number k generated in the random number gen- 

128-bit data of the extension data 1503. erating device 160? In respoase t0 thiSj the integer-multiple 

The above processing is performed on all the sections ca i cu i ator 1608 performs the processing represented by the 

(128-bit data) constituting the extension data 1503 to gen- foUowing equation to generate data R 1617: 
erate the masking data 1520. 55 

Here, in the masking device 1501 shown in FIG. 15, the R=kP 

ji-fimction processors 1513, 1514 1518, 1519 . . are the ^ da(a R m7 ^ , he flrs( da , a Qf , he encrypted texl 

same as the Ji-tunction processors 1306 to 1313 used in the \(,\(, 

second embodiment shown in FIG 13. The public key 0 1603 inpul to the data encryption device 

Accordingly, according to the third embodiment of the 60 is i t t0 tne integer . multiple ca i culalor 1609 together with 

present invention, mask data having higher degree of data a fc ted in the random generaling 

scrambling can be more quickly generated as compared with device and m ^ ^ ^ ^ ; nt mulli le 

the case where the encryption function such as DES or the calculator 1609 forms , he processing represented by the 

like ,s used for the character-substitut.on/transpos.tion pro- followi ation t0 generate a point (x>y) on lhe elliptical 

C T ng , u„ u f , , • ,- 65 ^ed line 
In the third embodiment of the present invention, the 

masking data 1520 can be regarded as data for which the (x, y )=kQ 


Y 2 =x*+ax+b 
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The first N-bil dala 1605 of the plain text 1604 which is 
input to the data encryption device 1601 is input to the 
compression/encryption unit 1612. In response to this, the 
compression/encryption unit 1612 performs the 
compression/encryption processing of the first N-bit data 5 

1605 by using as a key the hash value generated in the hash 
value generating device 1611, thereby generating the data C, 

1618. This data C a 1618 is set as the second data of the 
cipher text 1616. 

The hash value generating device 1611 generates a hash 10 
value for data which are obtained by connecting a sequence 
number "1" generated in a number generator 1610 and a 
numerical value x of (x,y) generated in the integer-multiple 
calculator 1609. 

Further, the second N-bit data 1606 of the plain text 1604 15 
input to the data encryption device 1601 is input to the 
compression/encryption unit 1615. In response to this, the 
compression/encryption unit 1615 performs the 
compression/encryption processing of the second N-bit data 

1606 by using as a key the hash value generated in the hash 20 
value generating device 1614, thereby generating data C 2 

1619. This data C 2 1619 is set as the third data of the cipher 
text 1616. 

The hash value generating device 1614 generates a hash 
value for data which are obtained by connecting the 25 
sequence number "2" generated in the number generator 
1613 and the numerical value x of (x,y) generated in the 
integer-multiple calculator 1609. 

The above processing is performed on all the N-bit data 
constituting the plain text 1604 to generate the cipher text 30 
1616. 

In the data encryption device 1601 shown in FIG. 16, each 
of the hash value generating devices .1611, 1614, . . . may be 
those of the first embodiment, or the conventional "hash 
function using block encryption" or "special-purpose block 35 
function". 

Next, the processing of the compression/encryption unit 
1612, 1615, . . . shown in FIG. 16 will be described. 

FIG. 17 is a diagram showing the functional constitution 
of the compression/encryption units 1612, 1615, .. . shown 40 
in FIG. 16. 

Here, the N-bit data correspond to the N-bit data 1605, 
1606, . . . constituting the plain text 1604 in FIG. 16. The 
data C represent the data C 1 1618, C 2 1619, . . . which are 
generated by the compression/encryption units 1612, 45 
1615, ... in FIG. 16. Further, a key 1705 corresponds to the 
hash value generated by the corresponding hash value 
generating device 1611, 1614, ... in FIG. 16. 

In FIG. 17, when the key 1705 is input, an extension unit 
1706 receives this key 1705 to generate plural copies of the 50 
key 1705, and link these copies to generate a work key 1723, 

The first section 1703 which is a first data section of the 
N-bit data is subjected to compression (character 
substitution) processing such as Haffman compression or the 
like by using a part of the work key 1723 as a parameter in 55 
the compressor processor 1707, and the compression result 
is output as 128-bit compressed data 1708 and fraction data 
1706. 

The 128 -bit compressed data 1708 are subjected to the 
character-substitution processing using a part of the work 60 
key 1723 to be converted to 128- bit data in the tz- function 
processor 1710. The processed data are further subjected to 
the character-substitution/transposition using a part of the 
work key 1723 as a parameter to be converted 128-bit data 
in the jc-function processor 1711. This data are set as the first 65 
data bj 1720 of the data C to be generated. The 128-bit data 
generated in the ^-function processor 1710 is input to the 
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extension unit 1712, and plural copies are generated there- 
from. These copies are linked to one another to generate a 
work key 1722 for encrypting the second section 1704 
which is a second data section of the N-bit data. 

The second section 1704 which is the second data section 
of the N-bit data is subjected to the compression (character 
substitution) processing using a part of the work key 1722 as 
a parameter by the Haffman compression or the like, and the 
result is output as compressed data 1714 and fraction data 
1715. Here, the compressed data 1714 is generated so that 
the total bit length of the bit length thereof and the bit length 
of the fraction data 1709 generated when the first section 
1703 is subjected to the compression (character substitution) 
processing becomes 128 bit. 

The compressed data 1714 is linked to the fraction data 
1709 generated when the first section 1703 is subjected to 
the compression (character substitution) processing, thereby 
generating the 128-bit data. Thereafter, in a Jt-function 
processor 1716, the data is subjected to the character- 
substitution/transposition processing using a part of the 
work key 1722 as a parameter in the ^-function processor 
1716 to be converted to 128-bit data. Thereafter, in a 
n-function processor 1718, the processing result is further 
subjected to the character-substitution/transposition process- 
ing using a part of the work key 1722 as a parameter to be 
converted to 128-bit data. This data is set as a second data 
b 2 1721 of the data C to be generated. Further, the 128-bit 
data generated in the n-function processor 1716 is input to 
an extension unit 1717 to generate plural copies of the 
128-bit data. These copies are linked to one another to 
generate a work key for encrypting a third data section of the 
N-bit data. 

By performing the above processing on all the sections 
constituting the N-bit data, the corresponding data C is 
generated. 

Here, the ^-function processors 1710, 1711, 1716, 
1718, . . . shown in FIG. 17 are the same as the Ji-function 
processors 1306, 1307, 1308, . . . 1313 used in the second 
embodiment shown in FIG. 13. 

According to the data encryption device which constitute 
the data encryption/decryption system of the fourth embodi- 
ment of the present invention, the data encryption is per- 
formed by combining the elliptical curved-line cipher and 
the hash value generating device. In addition, the Ji-function 
processor used in the second embodiment is used as the 
compressing/encryption unit. 

Accordingly, according to the data encryption device 
which constitute the data encryption/decryption system of 
the fourth embodiment of the present invention, as com- 
pared with the conventional public key cipher type data 
encryption device such as RSA(Riverst, Shamir, Adleman), 
cipher text having higher degree of scrambling can be more 
quickly generated for longer data. 

The data encryption device of this embodiment is the 
same as the data encryption device using the conventional 
public key cipher system of RSA in that plain text 1604 is 
converted to encrypted text 1616 by using the public key 
Q1603. However, the data encryption device of the fourth 
embodiment of the present invention is different from the 
conventional system in that the character-substitution/ 
transposition is performed by using the xc-function proces- 
sor. 

Further, the compression (character substitution) process- 
ing is performed by the Haffman compression, etc. in the 
compression processors 1701, 1713, . . . , and thus with 
respect to normal plain text which can be compressed by the 
Haffman compression, etc, the length of the cipher text 1616 
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is set to be shorter than the length of the plain text 1604. In 1816, . . . which are generated by the decryption/extension 

this point, this embodiment is also different from the prior units 1810, 1813, ... in FIG. 18. Further, the key 1905 

arts corresponds to a hash value which is generated by the 

In the compressing/encryption units 1612, 1615, ... as corresponding hash value generating device 1809, 1812, . . . 

shown in FIG. 17, the conversion processing on each section 5 in FIG. 18. 

(the first section 1703, the second section 1704, . . . ) Further, the jT-function processor 1907, 1910, 1914, 

constituting the N-bit data in the ^-function processor is 1916, . . . performs the processing which establishes the 

carried out twice. However, the present invention is not inverse function relationship with the processing in the 

limited to this embodiment. jt-function processor 1710, 1711, 1716, 1718, . . . shown in 

Next, a data decryption device will be described. 10 FIG. 17. That is, the ji '-function corresponds to the inverse 

FIG. 18 is a diagram showing the functional constitution function of the ji-function. 

of the data decryption device constituting the data In the case where the same parameter is set to the 

encryption/decryption system according to the fourth ji-function and the Ji^-function, if data ji (m) which are 

embodiment of the present invention. obtained by converting data m with the it-function is further 

To the data decryption device 1801 shown in FIG. 18 are 15 converted by the ji '-function, the result is the original data 

input a secret key d 1802 serving as a parameter in the m. That is, the rt^-function and the ^-function satisfy the 

elliptical curved-line cipher, and a cipher text 1803. following equation: 

The secret key d 1802 which is input to the data decryp- m-ct^H) 
tion device 1801 is input to an integer-multiple calculator 

1807 together with the first data R 1804 (corresponding to 20 Further, the extending processor unit 1911, 1917, ... 

the data R 1617 in FIG. 16) of the cipher text 1803 input to performs the processing which has the inverse-conversion 

the data decryption device 1801. In response to this, the relationship with the processing in the compression proces- 

integer-multiple calculator 1807 performs the processing sor 1707, 1713, . . . shown in FIG. 17. 

indicated by the following equations to generate a point (x,y) In the case where the same parameter is set to the 

on the elliptical curved line: 25 compression processor and the extension processor, if data 

which are obtained by subjecting the data ra to the com- 

&y)=dR pression (character-substitution) processing is further con- 

The second data C 2 1805 of the cipher text 1803 input to verted by the extension (character-substitution) processing, 

the data decryption device 1801 is input to a decryption/ the original data m are obtained. 

extension unit 1810. In response to this, the decryption/ 30 In FIG. 19, when the key 1905 is input, the extension unit 

extension unit 1810 performs the decryption/extension pro- 1906 receives the key 1905 to generate plural copies thereof, 

cessing of the second data Q 1805 by using as a key the and links these copies to generate a work 1923. 

hash value generated in the hash value generating device The first 128-bit data b x 1903 of the data C is subjected 

1809, thereby generating N-bit data. This data is set as the to the character-substitution/transposition processing to be 
first N-bit data 1815 of the plain text 1814. 35 converted to 128-bit data by using a part of the work key 

The hash value generating device 1809 generates a hash 1923 as a parameter in the jc '-function processor 1907, and 

value for data obtained by connecting the sequence number then further subjected to the character-substitution/ 

"1" generated in a number generator 1808 and the numerical transposition processing to be converted to 128-bit data by 

value x of (x,y) generated in an integer-multiple calculator using a part of the work key 1923 as a parameter in the 

1807 40 jif'-function processor 1910. 

The third data C 2 1806 of the encrypted text 1803 input In the extension processor 1911, the output result of the 

to the data decryption device 1801 is input to a decryption/ jc" 1 -function processor 1910 is subjected to the extension 

extension unit 1813. In response to this, the decryption/ (character-substitution) processing by using a part of the 

extension unit 1813 performs the decryption/extension pro- work key 1923 as a parameter. The result is output as the 

cessing of the third data C 1806 by using as a key the hash 45 128-bit extended data 1912 and the fraction data 1913 

value generated in the hash value generating device 1812, thereof. The 128-bit extended data are set as the data 1921 

thereby generating N-bit data. This data is set as the second of the first section of the N-bit data to be generated. Further, 

N-bit data 1816 of the plain text 1814. the 128-bit data generated in the jT'-function processor 

The hash value generating device 1812 generates a hash 1907 is input to an extension unit 1909, and plural copies are 

value for data obtained by connecting the sequence number 50 generated therefrom. These copies are linked to one another 

"2" generated in a number generator 1811 and the numerical to generate a work key 1924 for decrypting the second 

value x of (x,y) generated in the integer-multiple calculator 128-bit data b 2 1904 of the data C. 

18 07 Further, the second 128-bit data b 2 1904 of the data C is 

The above processing is performed on the second data C a subjected to the character-substitution/transposition to be 

1805 up to the final data, which constitute the cypher text 55 converted to 128-bit data by using a part of the work 1924 

1803, thereby generating the plain text 1814. as a parameter in the jr'-function processor 1914, and then 

In the data decryption device 1801 shown in FIG. 18, the further subjected to the character-substitution/transposition 

hash values generating device 1809, 1812, ... are the same to be converted to 128-bit data by using a part of the work 

as shown in FIG. 16. key 1924 as a parameter in the jt _1 -function processor 1916. 

Next, the processing in the decryption/extension units 60 The output result of the rT 1 -function processor 1916 is 

1810, 1813, . . . shown in FIG. 18 will be described. subjected to the extension (character-substitution) process- 
FIG. 19 is a diagram showing the functional constitution ing by using a part of the work key 1924 as a parameter in 

of the decryption/extension unit 1810, 1813, . . . shown in the extension processor 1917. The result is output as 

PIG is extended data 1918 and fraction data 1919 thereof. 

Here, the data C represent the second and subsequent data 65 Here, the extended data 1918 is generated so that the total 

of the cypher text 1803 (Q 1805, C 2 1806, . . . ) in FIG. 18. bit length of the extended data 1918 and the fraction data 

Further, the N-bit data corresponds to the N-bit data 1815, 1913 generated when the data b 1 1903 is subjected to the 
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extension (character-subslitution) processing is equal to 128 integer-multiple calculator 2009. This hash value is set as the 

bits. The data of 1 28 bits in total which are obtained by above key 2020. 

linking the extended data 1918 and the fraction data 1913 are The second N-bit data 2006 of the plain text 2004 input 

set as the data 1922 of the second section of the N-bit data to the data encryption device 2001 is input to the 

to be generated. Further, the 128-bit data generated in the 5 compression/encryption unit 2015. In response to this, the 

jt _1 -function processor 1914 are input to the extension unit compression/encryption unit 2015 performs the 

1915 to generate plural copies thereof. These copies are compression/encryption processing of the second N-bit data 

linked to one another to generate a work key for decrypting 2006 b y usin & 35 a ke y 2021 a hash value generated in a hash 

the third 128-bit data of the data C. value generating device 2014, thereby generating data C 2 

The above processing is performed on all the 1 28-bit data to 2019 ' This data C 2 2019 is set as the third data of the ci P her 

b 2 , b 2 , . . . constituting the data C to generate the N-bit data. text 2016 - 

According to the data decryption device which constitutes ^ above Processing is carried out on all the N-bit data 

the data encryption/decryption system of the fourth embodi- constituting the plain text 2004 to generate the cipher text 

mem of the present invention is the same as the conventional 2016. 

data decryption device using the public key cipher system of 15 In the data encrv P tlOT1 device 2«H shown in FIG. 20, the 

RSA in that the cipher text 1803 is decrypted to plain text compression/encryption unit 2012, 2015, ... has the same 

1814 by using the secret key d 1802. However, the data construction as the compression/encryption unit 1612, 

decryption device in the fourth embodiment of the present 1615 > ' ' ' shown in FIG - 16 

invention is different from the conventional device in that ^ fourth embodiment of the present invention has been 

the character-substitution/transposition is performed by 20 descnbed above - 

using the rt^-function processor as described above. . Nex f' a fiflh embodiment according to the present inven- 

Further, since the extension (character-substitution) pro- tl0n Wlllbe descnbed - 

cessing is carried out in the extension processors 1911, As in the case of the fourth embodiment, this embodiment 

1917, . . . , the plain text 1814 which is decrypted becomes relates 10 a data encryption/decryption system for electronic 

longer in data length than the cipher text which is com- 25 mail, etc., and it contams a data encryption device and a data 

pressed by the Haffman compression or the like. This decryption device. Like the hash value generating device of 

embodiment is also different from the conventional device in the first embodiment, the data encryption device and the data 

this point. decrypting device of this embodiment can be implemented 

Next, a modification of the data encryption device accord- b ^ makin & a microprocessor executing a predetermined 

ing to the fourth embodiment will be described. 30 P ro 8 ram 111 an information processing device having a 

FIG. 20 is a diagram showing the functional constitution microprocessor such as a personal computer, an IC card or 

of the modification of the data encryption device of the the ^ Further > 11 ma y be implemented by only one LSI. 

fourth embodiment accord ing to the present invention First ' the data encryption device will be described, 

shown in FIG 16 2 ^ * s a diagram showing the functional constitution 

To a data encryption device 2001 shown in FIG. 20 are 35 of the data enc ryption device constituting a data encryption/ 

input a base point P 2002 serving as a parameter in the decryption system according to a fifth embodiment of the 

elliptical curved-line cipher, a public key Q 2003 and a plain P re sent invention. 

text 2004 *° tbe data encrv P tl0n device 2101 shown in FIG. 21 are 

The base point P 2002 input to the data encryption device in P ut a base P oinl P 2102 servin S 88 a Parameter in the 

2001 is input to an integer-multiple calculator 2008 together 40 elliptical curve cipher, a public key Q, 2103, a public key Q 2 

with a random number k generated in a random number 2104 ' a P ubhc ke y Q 3 2105 ' a P ublic ke y ^ 2123 and P lain 

generating device 2007. In response to this, the integer- teX * 21 f* 6 ' . ^ M 

multiple calculator 2008 carries out the processing indicated ^ base P oint P 2102 whlch 15 m P ut t0 the data encr yP" 

by the following equation to generate data R 2017: I 1 ?" device 2101 1S in P ut 10 an integer-multiple calculator 

A5 2123 together with a random number k generated in a 

R=kp random number generating device 2113. In response to this, 

the integer-multiple calculator 2123 carries out the process- 

The data R 2017 is set as first data of the cipher text 2016. ing indicated by the following equation to generate data R 

Further, the public key 0 2003 input to the data encryption 2109: 
device 2001 is input to the integer-multiple calculator 2009 
together with the random number k generated in the random 50 

number generating device 2007. In response to this, the -This data R 2109 is set as the first data of the cipher text 

integer- multiple calculator 2009 carries out the processing 2108. 

indicated by the following equation to generate a point (x,y) The public key Ch 2103 input to the data encryption 

on the elliptical curved line: device 2101 is input to an integer-multiple calculator 2114 

55 together with a random number k generated in the random 

(x,y)=kg number generating device 2113. In response to this, the 

^ n * . Ci „ A integer-multiple calculator 2114 carries out the following 

The first N-bit data 2005 i of the plain text 2004 input to the pressing indicated by the following equation to generate a 

data encryption device 2001 is input to a compression/ int ( } on , he eih ^ curved hne: 
encryption unit 2012. In response to this, the compression/ 60 

encryption unit 2012 performs the compression/encrypting {x u y x )=kQ x 

processing of the first N-bit data 2005 by using as a key 2020 Thereafter, the numerical value xi of (Xj, yj is input to the 

a hash value generated in a hash value generating device hash value generating device 2119, and converted to a hash 

2011, thereby generating data C 1 2018. This data C, 2018 is value hfo). 

set as the second data of the cipher text 2016. 65 Likewise, the public key Q 2 2104 input to the data 

The hash value generating device 2011 generates a hash encryption device 2101 is input to an integer-multiple cal- 

value for a numerical value x of (x,y) generated in the culator 2115 together with a random number k generated in 
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the random number generating device 2113. In response to calculating the hash value h(x,) if any two hash values of the 

this, the integer-multiple calculator 2115 carries out the hash values \\(xj, h(x 3 ), h(x 4 ) are known, 

processing indicated by the following equation to generate a FIG. 22 is a diagram showing the functional constitution 

point fx,, v ? ) on the elliptical curved line: of the threshold value logic unit 2125 shown in FIG. 21. 

F 5 As shown in FIG. 22, five data q ljr 2202, h(x,) 2203, h(x 2 ) 

2204, h(x 3 ) 2205, h(x 4 ) 2206 are input to the threshold value 

{x 2 ,y^kQ 2 lQgic unit - 212 5. 

Thereafter, the numerical value x 2 of (x 2 , y 2 ) is input to a Here, q lx 2202 is the x-coordinate value of the public key 

hash value generating device 2126 to be converted to a hash Q 3 2103 and h(Xj) 2203, h^ 2204, h(x 3 ) 2205, h(x 4 ) 2206 

value h(x 2 ). 10 are hash values which are generated in the hash value 

Likewise, the public key Q 3 2105 input to the data generating devices 2119, 2126, 2127, 2128, respectively, 
encryption device 2101 is input to an integer-multiple cal- The calculator 2208 carries out the processing indicated 
culator 2116 together with the random number k generated by the following equation to generate data f, 2110: 
in the random number generating device 2113. In response 

to this, the integer-multiple calculator 2116 carries out the 15 A-sfai*, K x *)> M*a). A(x 3 ), h(xj) 

processing indicated by the following equation to generate a , ^ 

point (x 3 , y 3 ) on the elliptical curved line: Farther, the calculator 2210 carries out the processing 

r v 3 indicated by the following equation to generate data t 2 2111 : 

Thereafter, the numerical value x 3 of the (x 3 , y 3 ) is input 20 h ^> 

to a hash value generating device 2127 to be converted to a ifae function fe defined as foUows . 
hash value h(x 3 ). 

Further, likewise, the public key Q 4 2123 input to the data gix^a^a^a.+a^x+a^+a^niod n) 
encryption device 2101 is input to an integer-multiple cal- 
culator 2124 together with the random number k generated 25 Accordingly, the data f a , f 2 generated in the calculators 
in the random number generating device 2113. In response 2208 and 2210 respectively satisfy the following four- 
to this, the integer-multiple calculator 2124 carries out the element simultaneous equations with q lx , h(x 3 ), h(x 2 ), h(x 3 ), 
processing indicated by the following equation to generate a n ( X4 ) : 
point (x 4 , y 4 ) on the elliptical curved line: 

Thereafter, the numerical value x 4 of the (x 4 , y 4 ) is input to A-K^O-M^-MO^^K^^^^J'M^J^-od n) 

a hash value generating device 2128 to be converted to a AccordinglVj when the values of fjf ^ ^ are known, if 

hash value h(x 4 ) „ M( . ratPC va i 1IM f ?11rt « any two values of h( Xl ), h(x 2 ), h(x 3 ), h(x 4 ) are known, the 

A threshold value logic unit f 25 g en ;. a ^^ ^ t ^ 35 olh y er two values can be deduced (because the number of 

and t 2 2111 which would satisfy a condition or calcula ing number q[ m ^ 

the hash value h(x,) generated in the hash value generating uiikuuwh v*iu« » 4 

device 2119 if any two hash values of the hash values hfrj. ne ™ s cc *« s 1S ^ ual ^ . ; _ rvnt ■ linit 

h(x 3 ),h(x 4 ) generated in the hash value generating devices Next, the processing in the Umt 

2126 2127 2128 are known. These values f, 2110 and f 2 40 2120 shown in FIG. 21 will I e described 

2111aresetasthesecondandthirddataoftheencryptedtext FIG. 23 is a diagram showing k^^ 0 *!^^ 

21Q8 of the compression/encryption unit 2120 shown in FIG. 21. 

Hie threshold value logic unit 2125 will be described in Here, the N-bit data correspond to the N-bit data 2107, . . 
detail later constituting the plain text 2106. Further, the data C represent 

Tlicfirst"N4)itdaU2107ofthcplaintexl2106inputlothe 45 the data C, 2112 . . generated b) 'the compression/ 
data encryption device 2101 is input to the compression/ encryption unit 2120, . m FIG 21. Further a key 2309 
encryption unit 2120. In response to this, the compression/ corresponds to the key 2120, 2122, ... in FIG. 21. 
encryption unit 2120 carries out the compression/encryption In FIG. 23, when the key 2309 is input an extension unit 

processing of the first N-bit data 2107 (which will be 2310 receives the key 2309 to generate plural copies of the 
described later) by using as a key 2120 the hash value h(x a ) 50 key, and link these copes to generate a work key 2311. 
generated in the hash value generating device 2119, thereby Further, a first section 2303 which is the first data section 
generating data C, 2112. This data C, 2112 is set as the of the N-bit data is subjected to compression (character 
fourth data of the cipher text 2108. The key 2120 is input to substitution) processing through the Haffman compression 
a hash value generating device 2121 to be converted to a key or the like by using a part of the work key 2311 as a 
2122 for encrypting the second N-bit data of the plain text 55 parameter in the compression processor 2312. This result is 

output as 128-bit compressed data and fraction data 2314 

The above processing is carried out on all the N-bit data thereof, 
constituting the plain text 2106 to generate the cypher text The 128-bit compressed data 2313 is subjected to block 
2i0g encryption processing by using a part of the work key 2311 

In the data encryption device 2101 shown in FIG. 21, the 60 as a parameter in a rc-function processor 2315 to be con- 
hash value generating device may be the same as that of the verted processor to 128-bit data. Thereafter, in the 
first embodiment, or the conventional "hash function using ji-function processor 2316, it is further subjected to the 
block encryption" or "special-purpose block function". block cipher processing by using a part of the key 2311 as 

Next, the processing in the threshold value logic unit 2125 a parameter to be converted to 128-bit data. This data is set 
shown in FIG. 21 will be described. 65 as the first data b 1 2306 of the data C to be generated. 

As described above, the threshold value logic unit 2125 Further, the 128-bit data to be generated in the jt-tunction 
generates values t l9 f 2 which would satisfy the condition for processor 2315 is input to an extension unit 2317 to generate 
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plural copies thereof. These copies are linked to one another embodiment, the threshold value control for the number of 

to generate a work key 2318 for encrypting a second section receivers who can decrypt the cipher text can be performed. 

2304 which is a second data section of the N-bit data. That is, by multi-casting the cipher text 2108 to each of 

The second section 2304 which is the second data section the owners of the secret keys d lf d 2 , d 3 , d 4 , the owner having 

of the N-bit data is subjected to the compression (character- 5 the secret key d 1 can decrypt the cipher text 2108 alone, and 

substitution) processing through the Haffman compression also any two of the other three owners having the secret keys 

or the like by using a part of the work key 2318 as a d 2 , d 3 , d 4 can decrypt the cipher text 2108 if the owners 

parameter in the compression processor 2319. The result is cooperate with each other. 

output as the compression data 2320 and the fraction data Next, a modification of the data encryption device shown 
2321. Here, the compressed data 2320 is generated so that ]Q j n FIG. 21 will be described. 

the total bit length of the compressed data 2320 and the 1 FIG. 25 is a diagram showing the functional constitution 

traction data 2314 which are generated in the compression of an e le of the modification of thc data encryption 

is e a ua°lT S i28 St b UU ° Pr ° CeSSing ° f the filSl 80011011 2303 device shown in FIG. 21. Here, the elements having the 

is equa o its. same functions as those of the data encryption device 2101 

The compressed data 2320 is linked to the fraction data rtf vin „„ 0 ™™™t«i u„ *u e i 
2314 generated when the first section 2303 is subjected to « 0t ™- 21 are re P resented by the same reference numerals, 

the compression (character substitution) processing, so that * d at a encryption dev 1C e 2101 a shown in FIG. 25 is 

the total bit length thereof is equal to 128 bits. Thereafter, in Jflferen \ from the data encrv ption de ^ ce 2101 shown in 

the n-function processor 2322, the data are subjected to the FIG ' 21 m that an integer-multiple calculator 2501 is used in 

block cipher processing by using a part of the work key 2318 P lace of the integer- multiple calculator 2123. The remainder 
as a parameter to be converted to 128-bit data. Thereafter, in 20 of the construction is the same as shown in FIG. 21. 

the Jt-function processor 2324, the data are further subjected The integer-multiple calculator 2501 is the same as the 

to the block encrypting processing by using a part of the integer-multiple calculator 2123 shown in FIG. 21 in that it 

work key 2318 as a parameter to be converted to 128-bit receives the base point P 2102 and the random number k 

data. This data is set as the second data b 2 2307 of the data generated in the random number generating device 2113 to 
C to be generated. 25 carr y out tne processing indicated by R=kP. However, it is 

If the fraction data 2321 generated when the second different in that only the value 2502 of R calculated from 

section 2304 is subjected to the compression (character tne above e q ua ti°" is output. 

substitution) processing has r bits (r^l), the hash value Accordingly, in the data encryption device 2101 a shown 

generating device 2323 generates the hash value for the key in FIG - 25 > the data K 2502 is se t as the first data of the 
2309. In response to this, a calculator 2325 performs an 30 encrypted sentence 2108a. 

exclusive OR operation between the upper r bits of the hash In the data encryption device 2101 a shown in FIG. 25, the 

value generated in the hash value generating device 2323 ci P ner text t0 be generated is shorter than the cipher text 

and the fraction data 2321 to generate data of r bits. This data generated in the data encryption device 2101 shown in FIG. 

is set as the third data b 3 2308 of the data C to be generated, 2 

Through the above processing, the encryption data C for 35 That fe, according to the data encryption device 2101 

the N-bit data are generated. shown in FIG. 21, in the integer-multiple calculator 2123, 

According to the data encryption device which constitutes the P oim R=kP 00 the elliptical curved line is calculated, and 

the data encryption/decryption system of the fifth embodi- the x-coordinate value R^ and the y-coordinate value R y of 

ment of the present invention, the hash value h(x a ) is used R thus calculated are output and set as the first data R 2109 

as an initial value to encrypt the plain text 2106. 40 °f tne cipher text 2108. 

Accordingly, in order to decrypt the cipher text 2108 which 0n tbe other band ' according to the data encryption device 

is encrypted by the data encryption device, the hash value 2101 a shown in FIG. 25, in the integer-multiple calculator 

h(Xi) may be calculated. 2501, the point R=kP on the elliptical curved line is 

In the data encryption device, the threshold value logic calculated, and only the x-coordinate value of R thus cal- 

unit 2125 generates the values f ls f 2 which satisfy the 45 culated is output and set as the first data R^ 2502 of the 

condition under which the hash value h(x a ) can be calculated cipher text 2108a. 

if any two hash values of the hash values h(xj, h(x 3 ), h(x 4 ) Accordingly, the cipher text 2108a generated by the data 

are known, and adds these values f l9 f 2 to the cipher text encryption device 2101a shown in FIG. 25 is shorter than 

2108. me cipher text 2108 generated by the data encryption device 

Therefore, a person who receives the cipher text 2108 50 2101 snown in FIG - 21 b y tne amount corresponding to the 

(that is, a person who receives f„ f 2 ) can obtain h(x,) used data of the y-coordinate value R y (for example, 160 bits), 

for the encryption if he/she knows any two of h(x 2 ), h(x 3 ), Next > the dala decryption device will be described. 

h(x 4 ) (q^ is further needed in the case shown in FIG. 22). FIG - 26 is a diagram showing the functional constitution 

Accordingly, the decryption of the cipher text 2108 can be of the data decryption device constituting the data 
performed not only by a person who has the secret key d a 55 encryption/decryption system according to the fifth embodi- 
which is paired with the public key Q, (i.e., a person who ment of tne present invention. The data decryption device is 
can obtain the hash value h(x 2 ) alone), but also by coop- used t0 decrypt the cipher text 2108a generated by the data 
eration between any two persons of a person having the encryption device 2101 a shown in FIG. 25. 
secret key d 2 which is paired with the public key Q 2 (i.e., a ^ shown in FIG. 26, the data decryption device corn- 
person who can obtain the hash value h(x 2 ) alone), a person 60 P rises a data recovery engine 2607, a key keeping engine A 
having the secret key d 3 which is paired with the public key 2608 and a kev keeping engine B 2609. 
Q 3 (i.e. a person who can obtain the hash value h(x 3 ) alone) when tne P ublic ke y Qi 2103 an d the cipher text 2108a 
and a person having the secret key d 4 which is paired with are in P ut to the dala recovery engine 2607 shown in FIG. 26, 
the public key Q 4 (i.e. a person who can obtain the hash a calculator 2611 determines a y-coordinate value R y which 
value h(x 4 ) alone). 65 satisfies the following elliptical curve equation with the first 

The former equates to 1-out-of-l decryption logic, and the data R * 2502 of the ci P he r text 2108a; 

latter equates to 2-out-of-3 decoding logic. According to this R y 2 -R x *+a-R x +b 
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Usually, two resolutions R y exist for this equation. 
Assuming that one resolution is represented by r, the other 
resolution is represented by -r (when the equation: y 2 +xy« 
x 3 +ax+b is used as an elliptical curved line, representing one 
resolution by r, the other resolution is represented by R^+r). 5 

Any one of the resolutions is taken, and the other reso- 
lution is ignored. In this case, it is assumed that r is taken. 
The calculator 2611 outputs R=( R x> r )* 

Subsequently, the data recovery engine 2607 transmits the 
value R output from the calculator 2611 to each of the key ]0 
keeping engines A 2608 and B 2609. 

In response to this, the key keeping engine A 2608 
successively carries out the following processing: 

(1) Reading out the secret key d 2 2618 (paired with the 
public key Q 2 2104) stored in the key keeping engine A 15 
2608 itself. 

(2) Calculating the point (x 2 , y 2 ) on the elliptical curved line 
which satisfies the following equation with the value R 
transmitted from the data recovery engine 2607 in a 
calculator 1619. 


data restoring engine 2607, any one of the resolutions is 
transmitted to the key keeping engine A 2608 and the key 
keeping engine B 2609. 

Subsequently, when receiving the respective hash values 
h(x 2 ) and h(x 3 ) from the key keeping engine A 2608 and the 
key keeping engine B 2609, the data recovery engine 2607 
starts the processing by a threshold value inverse operation 
logic unit 2612. 

The threshold value inverse operation logic unit 2612 first 
receives the hash values h(x 2 ) and h(x 3 ), the x-coordinate 
value q lx of the public key Q x 2103 and the second and third 
data fj 2110, f 2 2111 of the cipher text 2108a. Thereafter, it 
generates h(x 2 ), h(x 4 ) which satisfy the following two- 
element simultaneous equations: 

/ I -/i(x 1 )-hft(.v 2 )^ Lt +/ ) (x 3 >(? Xj: 2 +/j(^)^i/(mod n) 
/ 2 W<x 1 )+^(x 2 ) /i(?i,)+/'Cx3) /«C^ lJr ) 2 +^(^)'/>C?u) 3 (mod n) 


Here, the above two-element simultaneous equations cor- 
20 respond to the case where h(x 2 ) and h(x 3 ) are known in the 
four-element simultaneous equations in which the hash 
values h(Xj), h(x 2 ), h(x 3 ), h(x 4 ) generated in the hash value 
generating devices shown in FIGS. 21 and 25 are unknown. 

In the hash value generating devices shown in FIGS. 21 
and 25, (x 2 , y 2 )=kQ 2 is calculated by using the random 
number k generated in the random number generating 
device, and the hash value for the x-coordinate numerical 
value x 2 thereof is set as h(x 2 ). Likewise, (x 3 , y 3 )=kQ 3 is 
calculated by using the random number k, and the hash value 
for the x-coordinate numerical value x 3 thereof is set as 
h(x 3 ). 

On the other hand, in the hash value generating device 
shown in FIG. 26, d 2 R (or d 2 R') is calculated by using R 
which is calculated from R=kP by using the same random 


25 


30 


(1) Generating the hash value h (x 2 ) of the x-coordinate 

value x 2 of (x 2 , yj calculated in the calculator 2619 in the 

hash value generating device 2620. 
(4) Transmitting the hash value h(x 2 ) generated in the hash 

value generating device 2620 to the data recovery engine 

2607. 

Further, the key keeping engine B 2609 successively 
carries out the following processing: 

(1) Reading out the secret key d 2 2621 (paired with the 
public key Q 3 2105) stored in the key keeping engine B 
2609 itself. 

(2) Calculating the point (x 3 , y 3 ) on the elliptical curved line 
satisfying the following equation with the value R trans- 35 num ber k as described above (or by using R' which is 
mitted from the data recovering engine 2607 in the different from R in only the sign of the y-coordinate), and the 
calculator 2622: hash value for the x-coordinate numerical value x 2 (or x 2 ') 

is set as h(x 2 ). Likewise, d 3 R (or d 3 R') is calculated and the 
fe^W hash value for the x-coordinate numerical value x 3 (or X 3 *) 

(3) Generating the hash value h(x 3 ) of the x-coordinate value 40 is set as h(x 3 ). 

X3 of (x 3 ,y 3 ) calculated in the calculator 2622 in the hash Here, from the relationship of the secret key and the 

value generating device 2623. public key in the elliptical curve ciphering, it is established 

(4) Transmitting the hash value h(x 3 ) generated in the hash that Q 2 =d 2 P, Q 3 =d 3 P. Accordingly, the following equations 
value generating device 2623. is satisfied: 
The hash values h(x 2 ), h(x 3 ) obtained through the above 45 

processing have the following feature. 

It is assumed that the data transmitted to each of the key 
keeping engines A 2608 and B 2609 is not R=(R Xir ) , but 
R'^R^'-r). In this case, the calculation of (x 2 ',y 2 ')=d 2 R' is 
performed in the calculator 2919 of the key keeping engine 50 
A 2608. However, (x 2 ',y 2 ')=(x 2 -y 2 ) due to the property of 
the calculation on the elliptical curved line. That is, in the 


calculation using the elliptical curved line y =x +ax+b, the 


equation: 
Y2)=d 2 (R, 


-(x,yMx, 
0, d 2 (R x 


-y) is satisfied. At this time, if (x 


d 2 R~dJcP~kd 2 P~kQ 2 ^(x 2 , y 2 ) 

For the reason described above, the X-coordinate values of 
d 2 R, d 3 R are equal to x 2 , x 3 . 

Accordingly, each of the hash values h(x 2 ), h(x 3 ) gener- 
ated in the hash value generating device shown in FIG. 26 
is coincident with each of the hash values h(x 2 ), h(x 3 ) 
generated in the hash value generating device shown in 


r)=d 2 (-(R^, r))=-d 2 (R^, r)=(x 2 , -y 2 ) 55 FIGS. 21 and 25, so that each of the hash values h(x,), h(x 4 ) 


Further, in the calculation using the elliptical curved line: 
x 3 +ax +b, the equation: -(x,y)=( x > x+y) is satisfied. 


y 2 +xy 


At this time, if (x 2 , y 2 )=d 2 (R x , r), d 2 (R ;c ,R x +r)=d 2 (-(R*, 
r))=-d 2 (R^, r)=(x 2 , x^y^ Accordingly, h(x 2 ')=h(x2). 

That is, even if R=(R X , r) is input or R'=(R X , -r) is input, 
the hash value h(x 2 ) output from the key keeping engine A 

2608 is not varied. 

Likewise, even if R=(R X , r) is input or R'=(R^, -r) is input, 
the hash value h(x 3 ) output from the key keeping engine B 

2609 is not varied. 

This is the reason why irrespective of the existence of two 
resolutions R y of the equation in the calculator 2611 of the 


obtained in the threshold value inverse operation logic unit 
2612 is coincident with each of the hash values h(x n ), h(x 4 ) 
generated in the hash value generating device shown in 
FIGS. 21 and 25. 
60 The decryption/extension unit 2614 performs the 
decryption/extension processing on the fourth data C 1 2112 
of the cipher text 2108« by using the hash value h(Xj) 
obtained in the threshold value inverse block unit 2612 as a 
key 2613, thereby generating the first N-bit data 2107 of the 
65 plain text 2106. 

The decryption/extension 2617 performs the decrypt 00 / 
extension processing on the fifth data of the cipher text 
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2108a by using as a key 2616 the hash value generated on 
the basis of the key 2613, in the hash value generating device 
2615, thereby generating the second N-bit data of the plain 
text 2106. 

The above processing is successively repeated until it is 
carried out on the final data constituting the cipher text 
2108a, thereby recovering the plain text 2106. 

In the fifth embodiment of the present invention, if f,, 
f 2 , . . . , f„ are contained in the cipher text, the multicasting 
may be performed for n persons so that some of the n 
persons are allowed to decrypt the cipher text alone and the 
other persons are allowed to decrypt the cipher text when at 
least two persons thereof cooperate with each other. 
Alternatively, each of the n persons may be able to decrypt 
the cipher text alone. 

FIG. 24 is a diagram showing the function construction of 
a modification of the threshold value logic unit of the data 
encryption device according to the fifth embodiment of the 
present invention. 

As shown in FIG. 24, three data x 1 2402, x 2 2403 and x 3 
2404 are input to the threshold value logic unit 2125a. 

Here, x 1 2402, x 2 2403 and x 3 2404 represent 
x-coordinate values which are generated in the integer- 
multiple calculators 2114, 2115, 2116 shown in FIG. 21, 
respectively. 

A calculator 2408 carries out the processing indicated by 
the following equation to generate data fj 2406: 

ft=x l -h(x 2 ) 

Here, h(x^) represents the hash value generated in the hash 
value generating device 2126 shown in FIG. 21. Further, a 
calculator 2410 carries out the processing indicated by the 
following equation to generate data f 2 2407: 

/z"*i-A(x 3 ) 

Here, h(x 3 ) represents the hash value generated in the hash 
value generating device 2127 shown in FIG. 21. 

By using the threshold value logic unit 2125a shown in 
FIG. 24, the data encryption device 2101 shown in FIG. 21 
generates the data f., 2406 on the basis of the random number 
k generated during the encryption processing and the public 
key Q 2 2104. Therefore, any person having the secret key d 2 
which is paired with the public key Q 2 2104 can decrypt the 
cipher text 2108 alone. 

Likewise, the data f 2 2407 is generated on the basis of the 
random number k generated in the encryption processing 
and the public key Q 3 2105. Therefore, any person having 
the secret key d 3 which is paired with the public key Q 3 2105 
can decrypt the cipher text 2108 alone. 

That is, the cipher text 2108 is multicasted to persons who 
have the secret keys d J} d 2 , d 3 , whereby each of the persons 
is allowed to decrypt the cipher text alone. Further, in order 
to increment the number of communication targets by one, 
it is sufficient to add the data amount corresponding to the 
length of the hash value (for example, 80 bits), so that the 
multicasting communication can be performed efficiently. In 
this case, only a one-way property is required for the hash 
function, and no collision free property is required. 

In the above embodiment, the elliptical curve cipher 
based on the equation: y 2 =x 3 +ax+b is used. In place of this 
equation, the elliptical curve ciphering based on the equa- 
tion: y 2 +xy«x 3 +ax+b may be used. 

As described above, according to the present invention, 
the hash values having a high degree of data scrambling can 
be generated rapidly. 

Further, data such as keys and cipher text which have a 
high degree of data scrambling can be generated rapidly. 
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Further, when the same data are transmitted to plural 
destinations while encrypted, it is unnecessary to encrypt the 
data by using, for every destination, a public key which is 
distributed from each destination in advance. 
5 Further, even when a receiver loses a secret key because 
he/she carelessly erases it from his/her file or the like, he/she 
can decrypt the received cipher text in cooperation with 
other two or more persons. 
What is claimed is: 
jo 1. A hash value generating method which is used for 
digital signature or data encryption comprising: 

a first step for dividing target data into at least two blocks; 
a second step for performing character-substitution and/or 
transposition processing on any one of the at least two 
15 blocks obtained in said first step; 

a third step for performing multiplication on the data 
obtained in said second step so that the data length of 
the multiplication result is longer than the data length 
of the data concerned; 

20 

a fourth step for further dividing the data obtained in said 

third step into at least two blocks; and 
a fifth step for performing character-substitution and/or 

transposition processing on each of the at least two 
2 5 blocks obtained in said fourth step. 

2. A hash value generating method which is used for 
digital signature or data encryption comprising: 

a first step for dividing target data into at least two blocks; 
and 

30 a second step for subjecting at least one of the at least two 
blocks obtained in said first step to injection extension 
transformation in which an output value is absolutely 
different if an input value is different (injection) and the 
length of the output value is longer than the length of 

35 the input value (extension). 

3. The hash value generating method as claimed in claim 
2, wherein in said injection extension transformation, data 
other than the data serving as a target of the injection 
extension transformation of the at least two blocks obtained 

40 in said first step is used as a parameter. 

4. The hash value generating method as claimed in claim 
2, wherein in said injection extension transformation, an 
initial value which is set separately from the at least two 
blocks obtained in said first step is used as a parameter. 

45 5. The hash value generating method as claimed in claim 
2, wherein said second step performs the injection extension 
transformation on at least any two of the at least two blocks 
obtained in said first step, and wherein the injection exten- 
sion transformation which is performed on one of the at least 

50 two uses as a parameter an initial value which is set 
separately from the at least two blocks obtained in said first 
step, and the injection extension transformation which is 
performed on the other uses as a parameter the result of the 
injection extension transformation using the initial value as 

55 a parameter. 

6. The hash value generating method as claimed in claim 
2, wherein said second step performs the injection extension 
transformation on at least any two of the at least two blocks 
obtained in said first step, one of the at least two being 

60 subjected to the injection extension transformation twice, 
and the injection extension transformation which is per- 
formed on the one of the at least two twice uses as a 
parameter the result of the injection extension transforma- 
tion which is performed on the other. 

65 7. The hash value generating method as claimed in claim 
2, wherein said injection extension transformation contains 
a third step for performing character-substitution and/or 
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transposition processing on an inpul value, and a fourth step 
for performing multiplication on the input value obtained in 
said third step so that the multiplication result is longer than 
the data length of the data concerned. 

8. The hash value generating method as claimed in claim 
2, wherein said injection extension transformation contains 
a third step for performing character-substitution and/or 
transposition processing on an inpul value, and a fourth step 
for performing a cyclic shift calculation on the input value 
obtained in said third step. 

9. A data encryption method for encrypting target data and 
outputting encrypted data having a fixed length, comprising: 

a first step for subjecting target data to character- 
substitution and/or transposition processing; 

a second step for subjecting data obtained in said first step 
to such multiplication processing that the multiplica- 
tion result is longer than the data length of the data 
concerned; 

a third step for dividing the data obtained in said second 

step into at least two blocks; and 
a fourth step for performing character-substitution and/or 

transposition processing on each of the at least two 

blocks obtained in said third step. 

10. A data encryption method for encrypting data and 
outputting encrypted data, comprising processing for suc- 
cessively performing encryption processing on all portions 
constituting target data, the encryption processing contain- 
ing a first step for compressing a part of the target data, a 
second step for subjecting data obtained in said first step'to 
such injection transformation that if an input value is varied, 
an output value is varied, and a third step for outputting the 
data obtained in said second step as a part of encrypted data, 
wherein said first step compresses a first part of the target 
data by using as a parameter data obtained by converting a 
key, and compresses a second and subsequent parts consti- 
tuting the target data by using as a parameter the result of 
said second step which is carried out in the encryption 
processing just before, and said second step performs mul- 
tiplication two or more times in the process of the injection 
transformation. 

U. A hash value generating device for generating a hash 
value which is difficult to inversely convert to original data, 
comprising: 

first dividing means for dividing target data into at least 
two blocks; 

first character-substitution/transposition processing 
means for performing character-substitution and/or 
transposition processing on any one of the at least two 
blocks obtained by said first dividing means; 

multiplication means for performing multiplication on the 
data converted by said first character-substitution/ 
transposition processing means so that the length of the 
multiplication result is longer than the data length of 
the data concerned; 
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second dividing means for further dividing the data mul- 
tiplied by said multiplication means into at least two 
blocks; and 

second character-substitution/transposition processing 
means for performing character-substitution and/or 
transposition processing on each of the at least two 
blocks obtained by said second diving means. 

12. A hash value generating device for generating a hash 
value which is difficult to inversely convert to original data, 

, comprising: 

first dividing means for dividing target data into at least 
two parts; and 

injection extension means for performing injection exten- 
sion transformation so that if an input value is varied, 
an output value is absolutely varied (injection) and the 
length of the output value is longer than the length of 
the input value (extension). 

13. A data encryption device for encrypting data having 
fixed length and outputting encrypted data having fixed data, 
comprising: 

first character-substitution/transposition processing 
means for performing character-substitution and/or 
transposition processing on target data; 

multiplication means for performing multiplication on the 
data converted by said first character-substitution/ 
transposition conversion so that the length of the result 
is longer than the data length of the data concerned; 

dividing means for dividing the data multiplied by said 
multiplication means into at least two blocks; and 

second character-substitution/transposition processing for 
performing character-substitution and/or transposition 
processing on each of the at least two blocks obtained 
by said dividing means. 

14. A data encryption device for encrypting data and 
outputting encrypted data, comprising: 

encryption means which contains compression means for 
compressing a part of target data, injection transforma- 
tion means for subjecting the data compressed in said 
compression means to injection transformation in 
which if an input value is different, an output value is 
completely different, and output means for outputting 
the data converted by said injection transformation 
means as a part of encrypted data; and 

means for successively inputting all portions constituting 
the target data into said encryption means, 

wherein said compression means compresses the first part 
of the target data by using as a parameter data obtained 
by converting a key, and compresses second and sub- 
sequent parts of the target data by using as a parameter 
a injection transformation result which is obtained on 
immediately preceding input data by said injection 
transformation means, and said injection transforma- 
tion means carries out multiplication two or more times 
in the process of the injection transformation. 
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